From d7f6218869daefa39e6cd3fc52e3f7de6462e339 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 8 Aug 2016 16:44:29 -0400
Subject: [PATCH] Move checking non-assignable policies above the actual token
 creation

---
 vault/token_store.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/vault/token_store.go b/vault/token_store.go
index b0bc5bd55..28b3a054c 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -1307,11 +1307,6 @@ func (ts *TokenStore) handleCreateCommon(
 		renewable = false
 	}
 
-	// Create the token
-	if err := ts.create(&te); err != nil {
-		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
-	}
-
 	// Prevent internal policies from being assigned to tokens
 	for _, policy := range te.Policies {
 		if strutil.StrListContains(nonAssignablePolicies, policy) {
@@ -1319,6 +1314,11 @@ func (ts *TokenStore) handleCreateCommon(
 		}
 	}
 
+	// Create the token
+	if err := ts.create(&te); err != nil {
+		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
+	}
+
 	// Generate the response
 	resp.Auth = &logical.Auth{
 		DisplayName: te.DisplayName,