PostCheck: Do permission checks first, then validate the input
This is the order that we follow in most REST endpoints.
Signed-off-by: Edwin Kempin <ekempin@google.com>
Change-Id: Ibf56826edcba55747e655f9ddbd05fec3a62b677
Signed-off-by: Edwin Kempin <ekempin@google.com>
diff --git a/java/com/google/gerrit/plugins/checks/api/PostCheck.java b/java/com/google/gerrit/plugins/checks/api/PostCheck.java
index 1a1d1c6..aba0995 100644
--- a/java/com/google/gerrit/plugins/checks/api/PostCheck.java
+++ b/java/com/google/gerrit/plugins/checks/api/PostCheck.java
@@ -76,6 +76,11 @@
public CheckInfo apply(RevisionResource rsrc, CheckInput input)
throws OrmException, IOException, RestApiException, PermissionBackendException,
ConfigInvalidException {
+ if (!self.get().isIdentifiedUser()) {
+ throw new AuthException("Authentication required");
+ }
+ permissionBackend.currentUser().check(permission);
+
if (input == null) {
input = new CheckInput();
}
@@ -86,11 +91,6 @@
throw new BadRequestException(String.format("invalid checker UUID: %s", input.checkerUuid));
}
- if (!self.get().isIdentifiedUser()) {
- throw new AuthException("Authentication required");
- }
- permissionBackend.currentUser().check(permission);
-
CheckerUuid checkerUuid = CheckerUuid.parse(input.checkerUuid);
CheckKey key = CheckKey.create(rsrc.getProject(), rsrc.getPatchSet().getId(), checkerUuid);