From 601ed67ab8fd42240741de4513f7ed9e0206d582 Mon Sep 17 00:00:00 2001
From: Chris Baker <1675087+cgbaker@users.noreply.github.com>
Date: Tue, 8 Sep 2020 19:33:55 +0000
Subject: [PATCH 1/2] check ACLs against deployment namespace on
 Deployment.GetDeployment, filtering the deployment if the ACL isn't
 appropriate

---
 nomad/deployment_endpoint.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/nomad/deployment_endpoint.go b/nomad/deployment_endpoint.go
index 1a9d812d5..8fc88a798 100644
--- a/nomad/deployment_endpoint.go
+++ b/nomad/deployment_endpoint.go
@@ -52,14 +52,15 @@ func (d *Deployment) GetDeployment(args *structs.DeploymentSpecificRequest,
 				return err
 			}
 
+			// Re-check namespace in case it differs from request.
+			if out != nil && !allowNsOp(aclObj, out.Namespace) {
+				// 404
+				out = nil
+			}
+
 			// Setup the output
 			reply.Deployment = out
 			if out != nil {
-				// Re-check namespace in case it differs from request.
-				if !allowNsOp(aclObj, out.Namespace) {
-					return structs.NewErrUnknownAllocation(args.DeploymentID)
-				}
-
 				reply.Index = out.ModifyIndex
 			} else {
 				// Use the last index that affected the deployments table

From 2cd66b527b86f197caf3d3ffe1a666bc74d76319 Mon Sep 17 00:00:00 2001
From: Chris Baker <1675087+cgbaker@users.noreply.github.com>
Date: Tue, 8 Sep 2020 16:39:51 -0500
Subject: [PATCH 2/2] Update nomad/deployment_endpoint.go

---
 nomad/deployment_endpoint.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nomad/deployment_endpoint.go b/nomad/deployment_endpoint.go
index 8fc88a798..03a9341ee 100644
--- a/nomad/deployment_endpoint.go
+++ b/nomad/deployment_endpoint.go
@@ -54,7 +54,7 @@ func (d *Deployment) GetDeployment(args *structs.DeploymentSpecificRequest,
 
 			// Re-check namespace in case it differs from request.
 			if out != nil && !allowNsOp(aclObj, out.Namespace) {
-				// 404
+				// hide this deployment, caller is not authorized to view it
 				out = nil
 			}