check_sdn_bridge: check bridge first

[pve-access-control.git] / src / PVE / RPCEnvironment.pm

diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm
index 745296a95f31e8b4eed255bf76b355883a2149fb..075099d9fe617d6d5d38975ce5e45429d09877ab 100644 (file)
--- a/src/PVE/RPCEnvironment.pm
+++ b/src/PVE/RPCEnvironment.pm
@@ -329,6 +329,9 @@ sub check_sdn_bridge {
     my ($self, $username, $zone, $bridge, $privs, $noerr) = @_;
 
     my $path = "/sdn/zones/$zone/$bridge";
+    # check access to bridge itself
+    return 1 if $self->check_any($username, $path, $privs, 1);
+
     my $cfg = $self->{user_cfg};
     my $bridge_acl = PVE::AccessControl::find_acl_tree_node($cfg->{acl_root}, $path);
     if ($bridge_acl) {
@@ -338,8 +341,6 @@ sub check_sdn_bridge {
            my $vlanpath = "$path/$vlan";
            return 1 if $self->check_any($username, $vlanpath, $privs, 1);
        }
-       # check access to bridge itself
-       return 1 if $self->check_any($username, $path, $privs, 1);
     }
 
     # repeat check, but fatal