From 91088a5e0fc603617ee5a111c67ae164a9f8179a Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 5 Jul 2023 17:26:52 -0300
Subject: [PATCH] fix(polling): reorder operations to avoid updating untrusted
 environments EE-5700 (#9155)

---
 .../endpointedge/endpoint_edgestatus_inspect.go | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go b/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go
index 76df0159b..b7b156aec 100644
--- a/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go
+++ b/api/http/handler/endpointedge/endpoint_edgestatus_inspect.go
@@ -83,13 +83,13 @@ func (handler *Handler) endpointEdgeStatusInspect(w http.ResponseWriter, r *http
 	}
 
 	if _, ok := handler.DataStore.Endpoint().Heartbeat(portainer.EndpointID(endpointID)); !ok {
-		// EE-5910
+		// EE-5190
 		return httperror.Forbidden("Permission denied to access environment", errors.New("the device has not been trusted yet"))
 	}
 
 	endpoint, err := handler.DataStore.Endpoint().Endpoint(portainer.EndpointID(endpointID))
 	if err != nil {
-		// EE-5910
+		// EE-5190
 		return httperror.Forbidden("Permission denied to access environment", errors.New("the device has not been trusted yet"))
 	}
 
@@ -126,6 +126,11 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque
 		return nil, err
 	}
 
+	err = handler.requestBouncer.TrustedEdgeEnvironmentAccess(tx, endpoint)
+	if err != nil {
+		return nil, httperror.Forbidden("Permission denied to access environment", err)
+	}
+
 	if endpoint.EdgeID == "" {
 		edgeIdentifier := r.Header.Get(portainer.PortainerAgentEdgeIDHeader)
 		endpoint.EdgeID = edgeIdentifier
@@ -144,12 +149,7 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque
 
 	err = tx.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
-		return nil, httperror.InternalServerError("Unable to Unable to persist environment changes inside the database", err)
-	}
-
-	err = handler.requestBouncer.TrustedEdgeEnvironmentAccess(tx, endpoint)
-	if err != nil {
-		return nil, httperror.Forbidden("Permission denied to access environment", err)
+		return nil, httperror.InternalServerError("Unable to persist environment changes inside the database", err)
 	}
 
 	checkinInterval := endpoint.EdgeCheckinInterval
@@ -237,6 +237,7 @@ func (handler *Handler) buildSchedules(endpointID portainer.EndpointID, tunnel p
 
 		schedules = append(schedules, schedule)
 	}
+
 	return schedules, nil
 }