From d258740f24c8f29bc6f1a1f3ad5ddedc10c6bdc6 Mon Sep 17 00:00:00 2001
From: Jordan Reimer <zofskeez@gmail.com>
Date: Thu, 15 Sep 2022 12:45:33 -0600
Subject: [PATCH] Prevent Requests to resultant-acl Endpoint When
 Unauthenticated (#17139)

* prevents requests to resultant-acl endpoint when not logged in

* removes unauthenticated mentions from resultant-acl api doc

* adds changelog entry
---
 changelog/17139.txt                                        | 6 ++++++
 ui/app/routes/vault/cluster.js                             | 4 +++-
 .../content/api-docs/system/internal-ui-resultant-acl.mdx  | 7 +++----
 3 files changed, 12 insertions(+), 5 deletions(-)
 create mode 100644 changelog/17139.txt

diff --git a/changelog/17139.txt b/changelog/17139.txt
new file mode 100644
index 000000000..81b7507f2
--- /dev/null
+++ b/changelog/17139.txt
@@ -0,0 +1,6 @@
+```release-note:improvement
+ui: Prevents requests to /sys/internal/ui/resultant-acl endpoint when unauthenticated
+```
+```release-note:improvement
+website/docs: Removes mentions of unauthenticated from internal ui resultant-acl doc
+```
\ No newline at end of file
diff --git a/ui/app/routes/vault/cluster.js b/ui/app/routes/vault/cluster.js
index 9f80e82e7..327bfc99f 100644
--- a/ui/app/routes/vault/cluster.js
+++ b/ui/app/routes/vault/cluster.js
@@ -72,7 +72,9 @@ export default Route.extend(ModelBoundaryRoute, ClusterRoute, {
     const id = this.getClusterId(params);
     if (id) {
       this.auth.setCluster(id);
-      await this.permissions.getPaths.perform();
+      if (this.auth.currentToken) {
+        await this.permissions.getPaths.perform();
+      }
       return this.version.fetchFeatures();
     } else {
       return reject({ httpStatus: 404, message: 'not found', path: params.cluster_name });
diff --git a/website/content/api-docs/system/internal-ui-resultant-acl.mdx b/website/content/api-docs/system/internal-ui-resultant-acl.mdx
index 89f80ab19..c519c4448 100644
--- a/website/content/api-docs/system/internal-ui-resultant-acl.mdx
+++ b/website/content/api-docs/system/internal-ui-resultant-acl.mdx
@@ -8,11 +8,10 @@ description: >-
 # `/sys/internal/ui/resultant-acl`
 
 The `/sys/internal/ui/resultant-acl` endpoint is used to expose resultant-acl
-to the UI so that it can change its behavior in response, even before a user logs in.
+to the UI so that it can change its behavior in response.
 
-This is currently only being used internally for the UI and is
-an unauthenticated endpoint. Due to the nature of its intended usage, there is no
-guarantee on backwards compatibility for this endpoint.
+This is currently only being used internally for the UI. Due to the nature of its
+intended usage, there is no guarantee on backwards compatibility for this endpoint.
 
 ## Get Resultant-acl