From 65622b428964c699f49b47ceae9e1aaa7c87b43d Mon Sep 17 00:00:00 2001
From: Leonardo Di Donato <leodidonato@gmail.com>
Date: Tue, 22 Jan 2019 01:22:39 +0100
Subject: [PATCH] chore(authorizer): refactor order of checks

Signed-off-by: Leonardo Di Donato <leodidonato@gmail.com>
---
 authorizer/secret.go      | 12 ++++++------
 authorizer/secret_test.go |  1 +
 authz.go                  |  2 +-
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/authorizer/secret.go b/authorizer/secret.go
index 15e1a70ee3..48e0f69b16 100644
--- a/authorizer/secret.go
+++ b/authorizer/secret.go
@@ -53,12 +53,12 @@ func authorizeWriteSecret(ctx context.Context, orgID influxdb.ID) error {
 
 // LoadSecret checks to see if the authorizer on context has read access to the secret key provided.
 func (s *SecretService) LoadSecret(ctx context.Context, orgID influxdb.ID, key string) (string, error) {
-	secret, err := s.s.LoadSecret(ctx, orgID, key)
-	if err != nil {
+	if err := authorizeReadSecret(ctx, orgID); err != nil {
 		return "", err
 	}
 
-	if err := authorizeReadSecret(ctx, orgID); err != nil {
+	secret, err := s.s.LoadSecret(ctx, orgID, key)
+	if err != nil {
 		return "", err
 	}
 
@@ -67,12 +67,12 @@ func (s *SecretService) LoadSecret(ctx context.Context, orgID influxdb.ID, key s
 
 // GetSecretKeys checks to see if the authorizer on context has read access to all the secrets belonging to orgID.
 func (s *SecretService) GetSecretKeys(ctx context.Context, orgID influxdb.ID) ([]string, error) {
-	secrets, err := s.s.GetSecretKeys(ctx, orgID)
-	if err != nil {
+	if err := authorizeReadSecret(ctx, orgID); err != nil {
 		return []string{}, err
 	}
 
-	if err := authorizeReadSecret(ctx, orgID); err != nil {
+	secrets, err := s.s.GetSecretKeys(ctx, orgID)
+	if err != nil {
 		return []string{}, err
 	}
 
diff --git a/authorizer/secret_test.go b/authorizer/secret_test.go
index fa15f43702..3faf273e29 100644
--- a/authorizer/secret_test.go
+++ b/authorizer/secret_test.go
@@ -250,6 +250,7 @@ func TestSecretService_GetSecretKeys(t *testing.T) {
 						OrgID: influxdbtesting.IDPtr(10),
 					},
 				},
+				org: influxdb.ID(10),
 			},
 			wants: wants{
 				err: &influxdb.Error{
diff --git a/authz.go b/authz.go
index 4173ee4d63..b81a617204 100644
--- a/authz.go
+++ b/authz.go
@@ -115,7 +115,7 @@ const (
 	MacrosResourceType = ResourceType("macros") // 8
 	// ScraperResourceType gives permission to one or more scrapers.
 	ScraperResourceType = ResourceType("scrapers") // 9
-	// SecretsResourceType gives permission to one or more scrapers.
+	// SecretsResourceType gives permission to one or more secrets.
 	SecretsResourceType = ResourceType("secrets") // 10
 )