From ab1881d02ee1ab9e68d161fd43a17f8b541e75f3 Mon Sep 17 00:00:00 2001
From: yusing <yusing.wys@gmail.com>
Date: Sun, 18 Jan 2026 10:50:46 +0800
Subject: [PATCH] fix(acl): deny rules now have higher precedence than allow
 rules

---
 internal/acl/config.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/internal/acl/config.go b/internal/acl/config.go
index 244bc451..f54b50be 100644
--- a/internal/acl/config.go
+++ b/internal/acl/config.go
@@ -292,16 +292,16 @@ func (c *Config) IPAllowed(ip net.IP) bool {
 	}
 
 	ipAndStr := &maxmind.IPInfo{IP: ip, Str: ipStr}
-	if c.Allow.Match(ipAndStr) {
-		c.logAndNotify(ipAndStr, true)
-		c.cacheRecord(ipAndStr, true)
-		return true
-	}
 	if c.Deny.Match(ipAndStr) {
 		c.logAndNotify(ipAndStr, false)
 		c.cacheRecord(ipAndStr, false)
 		return false
 	}
+	if c.Allow.Match(ipAndStr) {
+		c.logAndNotify(ipAndStr, true)
+		c.cacheRecord(ipAndStr, true)
+		return true
+	}
 
 	c.logAndNotify(ipAndStr, c.defaultAllow)
 	c.cacheRecord(ipAndStr, c.defaultAllow)