From 6120f1c7a015d7ea0d52a97f18159de45968064c Mon Sep 17 00:00:00 2001
From: Egor Ivkov <e.o.ivkov@gmail.com>
Date: Tue, 16 Jan 2024 17:14:28 +0300
Subject: [PATCH] refactor: perform access control checks at the start of
 proc_cas_local

---
 src/cas.rs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/cas.rs b/src/cas.rs
index 297b7d28e1..facfd485bf 100644
--- a/src/cas.rs
+++ b/src/cas.rs
@@ -198,6 +198,14 @@ fn proc_cas_local(req: Request) -> Result<Response> {
         .into());
     }
 
+    // Check that sender is allowed to apply this operation.
+    // Executed as one of the first checks to prevent spending time on
+    // expensive range checks if the sender has no permissions for this operation.
+    //
+    // Note: audit log record is automatically emmitted in case there is an error,
+    // because it is hooked into AccessDenied error creation (on_access_denied) trigger
+    access_control::access_check_op(storage, &req.op, req.as_user)?;
+
     let last_persisted = raft::Storage::last_index(raft_storage)?;
     assert!(last_persisted <= last);
 
@@ -266,10 +274,6 @@ fn proc_cas_local(req: Request) -> Result<Response> {
         req.predicate.check_entry(entry.index, &op, storage)?;
     }
 
-    // Note: audit log record is automatically emmitted in case there is an error,
-    // because it is hooked into AccessDenied error creation (on_access_denied) trigger
-    access_control::access_check_op(storage, &req.op, req.as_user)?;
-
     if let Op::Dml(dml) = &req.op {
         // Check if the requested dml is applicable to the local storage.
         // This will run the required on_replace triggers which will check among
-- 
GitLab