From 029a5c07e14e1557e224645c47a127cc54cf887d Mon Sep 17 00:00:00 2001
From: Sam Talonborn <sam@oaktal.com>
Date: Thu, 16 Nov 2023 09:25:35 -0800
Subject: [PATCH] Check user permissions before filesystem permissions in
 render_index.

---
 app/dexter.pl | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/dexter.pl b/app/dexter.pl
index d6225f3..c0d373b 100755
--- a/app/dexter.pl
+++ b/app/dexter.pl
@@ -121,6 +121,14 @@ helper render_index => sub ($c) {
     my $user = $c->req->env->{REMOTE_USER};
     my $path = $url->path;
 
+    if ( not user_has_permission_on_path($user, 'READ', $path) ) {
+        $c->render(template => 'error',
+                    status  => '403',
+                    message => 'You are not allowed to view that index!');
+
+        return 0;
+    }
+
     if ( not -r $ROOT_DIRECTORY . $path->to_route ) {
         $path->trailing_slash(0);
         $path = $path->to_dir;
@@ -145,14 +153,6 @@ helper render_index => sub ($c) {
         return 0;
     }
 
-    if ( not user_has_permission_on_path($user, 'READ', $path) ) {
-        $c->render(template => 'error',
-                    status  => '403',
-                    message => 'You are not allowed to view that index!');
-        
-        return 0;
-    }
-
     my $sort_query      = $url->query->param('sort');
     my $files_hash_ref  = get_files_at_path_sorted_by_query($path, $sort_query);