Collect remove subs on first check

Signed-off-by: Derek Collison <derek@nats.io>
2026-04-14 10:10:42 -07:00 · 2018-11-07 09:25:32 -08:00
parent 3dde5b5a93
commit a442f6cde4
1 changed files with 6 additions and 6 deletions
--- a/server/client.go
+++ b/server/client.go
@@ -2249,8 +2249,10 @@ func (c *client) processSubsOnConfigReload(awcsti map[string]struct{}) {
 	// Collect client's subs under the lock
 	for _, sub := range c.subs {
 		subs = append(subs, sub)
-		// Just checking to rebuild mperms under the lock.
-		c.canSubscribe(string(sub.subject))
+		// Just checking to rebuild mperms under the lock, will collect removed though here.
+		if !c.canSubscribe(string(sub.subject)) {
+			removed = append(removed, sub)
+		}
 	}
 	c.mu.Unlock()

@@ -2258,10 +2260,7 @@ func (c *client) processSubsOnConfigReload(awcsti map[string]struct{}) {
 	// from config reload code prior to calling this function. So there is no risk
 	// of concurrent access to c.perms.
 	for _, sub := range subs {
-		if checkPerms && !c.canSubscribe(string(sub.subject)) {
-			removed = append(removed, sub)
-			c.unsubscribe(acc, sub, true)
-		} else if checkAcc {
+		if checkAcc {
 			c.mu.Lock()
 			oldShadows := sub.shadow
 			sub.shadow = nil
@@ -2275,6 +2274,7 @@ func (c *client) processSubsOnConfigReload(awcsti map[string]struct{}) {

 	// Report back to client and logs.
 	for _, sub := range removed {
+		c.unsubscribe(acc, sub, true)
 		c.sendErr(fmt.Sprintf("Permissions Violation for Subscription to %q (sid %q)",
 			sub.subject, sub.sid))
 		srv.Noticef("Removed sub %q (sid %q) for user %q - not authorized",