From f11e5311eb1facdfba266098b2987f682dc61a67 Mon Sep 17 00:00:00 2001
From: shirady <57721533+shirady@users.noreply.github.com>
Date: Wed, 15 Jan 2025 10:42:21 +0200
Subject: [PATCH] fail fast on DENY by permission_by_id

Signed-off-by: shirady <57721533+shirady@users.noreply.github.com>
---
 src/endpoint/s3/s3_rest.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/endpoint/s3/s3_rest.js b/src/endpoint/s3/s3_rest.js
index 98b0e8a00a..a4455486bf 100755
--- a/src/endpoint/s3/s3_rest.js
+++ b/src/endpoint/s3/s3_rest.js
@@ -289,14 +289,14 @@ async function authorize_request_policy(req) {
             s3_policy, account_identifier_id, method, arn_path, req);
         dbg.log3('authorize_request_policy: permission_by_id', permission_by_id);
     }
+    if (permission_by_id === "DENY") throw new S3Error(S3Error.AccessDenied);
 
     if ((!account_identifier_id || permission_by_id !== "DENY") && account.owner === undefined) {
         permission_by_name = await s3_bucket_policy_utils.has_bucket_policy_permission(
             s3_policy, account_identifier_name, method, arn_path, req);
         dbg.log3('authorize_request_policy: permission_by_name', permission_by_name);
     }
-
-    if (permission_by_id === "DENY" || permission_by_name === "DENY") throw new S3Error(S3Error.AccessDenied);
+    if (permission_by_name === "DENY") throw new S3Error(S3Error.AccessDenied);
     if ((permission_by_id === "ALLOW" || permission_by_name === "ALLOW") || is_owner) return;
 
     throw new S3Error(S3Error.AccessDenied);