From e1abef7b3e4dbbd6a8534afb611d0058d5443b84 Mon Sep 17 00:00:00 2001
From: mcilwain <mcilwain@google.com>
Date: Tue, 26 Mar 2019 08:45:42 -0700
Subject: [PATCH] Explain why permission check occurs before existence check

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=240355450
---
 .../registry/request/auth/AuthenticatedRegistrarAccessor.java   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java b/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
index 520638d50..1d9412d1a 100644
--- a/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
+++ b/java/google/registry/request/auth/AuthenticatedRegistrarAccessor.java
@@ -220,6 +220,8 @@ public class AuthenticatedRegistrarAccessor {
    * @param clientId ID of the registrar we request
    */
   public Registrar getRegistrar(String clientId) throws RegistrarAccessDeniedException {
+    // Verify access before checking if the registrar exists, in order to not leak information
+    // about objects in the system the user doesn't have permissions on.
     verifyAccess(clientId);
 
     Registrar registrar =