qemu: Obtain @caps only after ACL check in qemuNodeGetSecurityModel

Even though we are getting driver capabilities with
refresh=false (so that it is not expensive), we still should do
ACL check first because there is no point in bothering with the
capabilities if caller doesn't have permissions to call the API.
Also, this way the comment makes more sense.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index a9e8f660c762c83d371e4468af7c652bbd02b142..96ec84bd1c20db508c2226d887c9175ea2c330b2 100644 (file)
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -5934,14 +5934,12 @@ static int qemuNodeGetSecurityModel(virConnectPtr conn,
 
     memset(secmodel, 0, sizeof(*secmodel));
 
-    if (!(caps = virQEMUDriverGetCapabilities(driver, false)))
-        return 0;
-
     if (virNodeGetSecurityModelEnsureACL(conn) < 0)
         return 0;
 
     /* We treat no driver as success, but simply return no data in *secmodel */
-    if (caps->host.nsecModels == 0 ||
+    if (!(caps = virQEMUDriverGetCapabilities(driver, false)) ||
+        caps->host.nsecModels == 0 ||
         caps->host.secModels[0].model == NULL)
         return 0;