From eca6f8573a107c35fdf9b78fd667cae1ef6c8072 Mon Sep 17 00:00:00 2001
From: Charlie Voiselle <charlie.voiselle@gmail.com>
Date: Mon, 20 Nov 2017 15:00:24 -0500
Subject: [PATCH 1/2] Changed permission check to requested namespace

Original code checked to see if the user had submit-job on the default namespace.
---
 nomad/job_endpoint.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go
index 037176033..521782b54 100644
--- a/nomad/job_endpoint.go
+++ b/nomad/job_endpoint.go
@@ -1023,12 +1023,12 @@ func (j *Job) Plan(args *structs.JobPlanRequest, reply *structs.JobPlanResponse)
 	if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil {
 		return err
 	} else if aclObj != nil {
-		if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySubmitJob) {
+		if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
 			return structs.ErrPermissionDenied
 		}
 		// Check if override is set and we do not have permissions
 		if args.PolicyOverride {
-			if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySentinelOverride) {
+			if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySentinelOverride) {
 				return structs.ErrPermissionDenied
 			}
 		}

From d5a776601b22fa6a335e8ab238c2896a6160b692 Mon Sep 17 00:00:00 2001
From: Preetha Appan <preetha@hashicorp.com>
Date: Mon, 20 Nov 2017 17:12:13 -0600
Subject: [PATCH 2/2] Use request namespace in Register method

---
 nomad/job_endpoint.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/nomad/job_endpoint.go b/nomad/job_endpoint.go
index 521782b54..572b96b81 100644
--- a/nomad/job_endpoint.go
+++ b/nomad/job_endpoint.go
@@ -77,12 +77,12 @@ func (j *Job) Register(args *structs.JobRegisterRequest, reply *structs.JobRegis
 	if aclObj, err := j.srv.ResolveToken(args.AuthToken); err != nil {
 		return err
 	} else if aclObj != nil {
-		if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySubmitJob) {
+		if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySubmitJob) {
 			return structs.ErrPermissionDenied
 		}
 		// Check if override is set and we do not have permissions
 		if args.PolicyOverride {
-			if !aclObj.AllowNsOp(structs.DefaultNamespace, acl.NamespaceCapabilitySentinelOverride) {
+			if !aclObj.AllowNsOp(args.RequestNamespace(), acl.NamespaceCapabilitySentinelOverride) {
 				j.srv.logger.Printf("[WARN] nomad.job: policy override attempted without permissions for Job %q", args.Job.ID)
 				return structs.ErrPermissionDenied
 			}