No. That is the right one. The validations happen first in 1113, then the respond_to_request method is called in 1125 where permission_callback in handled. I think permission checks should come first before validations.
That is where the method is defined, but it is called at L1125 while L1113 is where the validation happens first.
