From 7ca3f0a466b1b2527970ab70bc28bf1e4dd97bfd Mon Sep 17 00:00:00 2001
From: James Phillips <james@hashicorp.com>
Date: Mon, 9 Nov 2015 20:42:52 -0800
Subject: [PATCH] Adds an explicit ACL check that will fail vs. trying other
 DCs.

---
 consul/prepared_query_endpoint.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/consul/prepared_query_endpoint.go b/consul/prepared_query_endpoint.go
index 6bfcfe74b0..3ebd836aa9 100644
--- a/consul/prepared_query_endpoint.go
+++ b/consul/prepared_query_endpoint.go
@@ -292,9 +292,14 @@ func (p *PreparedQuery) execute(query *structs.PreparedQuery,
 	// the token stored with the query, NOT the passed-in one, which is
 	// critical to how queries work (the query becomes a proxy for a lookup
 	// using the ACL it was created with).
-	if err := p.srv.filterACL(query.Token, nodes); err != nil {
+	acl, err := p.srv.resolveToken(query.Token)
+	if err != nil {
 		return err
 	}
+	if acl != nil && !acl.ServiceRead(query.Service.Service) {
+		p.srv.logger.Printf("[WARN] consul.prepared_query: Execute of prepared query for service '%s' denied due to ACLs", query.Service.Service)
+		return permissionDeniedErr
+	}
 
 	// Filter out any unhealthy nodes.
 	nodes = nodes.Filter(query.Service.OnlyPassing)