internet: refactor ACL evaluation for catalog queries

diff --git a/src/knot/nameserver/internet.c b/src/knot/nameserver/internet.c
index 8a499bf61ee22b69e930c2355503785a3e0bc615..cc9a169a5036bac03a15fae88b9022dd005fff39 100644 (file)
--- a/src/knot/nameserver/internet.c
+++ b/src/knot/nameserver/internet.c
@@ -715,6 +715,8 @@ knot_layer_state_t internet_process_query(knot_pkt_t *pkt, knotd_qdata_t *qdata)
                if (ret != KNOT_EOK) {
                        return KNOT_STATE_FAIL;
                }
+       } else if (qdata->extra->zone->is_catalog_flag) {
+               NS_NEED_AUTH(qdata, ACL_ACTION_QUERY);
        }
 
        /* Check if the zone is not empty or expired. */

diff --git a/src/knot/nameserver/process_query.c b/src/knot/nameserver/process_query.c
index d82af139331735ce61c106f84a95f90506318fe5..b0442608119ff53f7cd6531b6617a14685337d9c 100644 (file)
--- a/src/knot/nameserver/process_query.c
+++ b/src/knot/nameserver/process_query.c
@@ -497,15 +497,6 @@ static int prepare_answer(knot_pkt_t *query, knot_pkt_t *resp, knot_layer_t *ctx
                qdata->extra->contents = qdata->extra->zone->contents;
        }
 
-       /* Allow normal queries to catalog only if allowed by ACL. */
-       if (qdata->extra->zone != NULL && qdata->extra->zone->is_catalog_flag &&
-           query_type(query) == KNOTD_QUERY_TYPE_NORMAL) {
-               if (!process_query_acl_check(conf(), ACL_ACTION_QUERY, qdata)) {
-                       qdata->extra->zone = NULL;
-                       qdata->extra->contents = NULL;
-               }
-       }
-
        return KNOT_EOK;
 }