From 759be9763564f46c6ef9eb0f92c27dcba9cba89a Mon Sep 17 00:00:00 2001
From: James Phillips <slackpad@gmail.com>
Date: Fri, 14 Jul 2017 20:43:30 -0700
Subject: [PATCH] Changes ACL clone response to 403 if not authorized, or if
 token doesn't exist. (#3275)

Fixes #1113
---
 agent/acl_endpoint.go      | 7 +++----
 agent/acl_endpoint_test.go | 9 ++++++++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/agent/acl_endpoint.go b/agent/acl_endpoint.go
index 9d217764d..72cb52452 100644
--- a/agent/acl_endpoint.go
+++ b/agent/acl_endpoint.go
@@ -128,11 +128,10 @@ func (s *HTTPServer) ACLClone(resp http.ResponseWriter, req *http.Request) (inte
 		return nil, err
 	}
 
-	// Bail if the ACL is not found
+	// Bail if the ACL is not found, this could be a 404 or a 403, so
+	// always just return a 403.
 	if len(out.ACLs) == 0 {
-		resp.WriteHeader(404)
-		fmt.Fprint(resp, "Target ACL not found")
-		return nil, nil
+		return nil, errPermissionDenied
 	}
 
 	// Create a new ACL
diff --git a/agent/acl_endpoint_test.go b/agent/acl_endpoint_test.go
index 915d22cb3..8ab3b6580 100644
--- a/agent/acl_endpoint_test.go
+++ b/agent/acl_endpoint_test.go
@@ -124,8 +124,15 @@ func TestACL_Clone(t *testing.T) {
 
 	id := makeTestACL(t, a.srv)
 
-	req, _ := http.NewRequest("PUT", "/v1/acl/clone/"+id+"?token=root", nil)
+	req, _ := http.NewRequest("PUT", "/v1/acl/clone/"+id, nil)
 	resp := httptest.NewRecorder()
+	_, err := a.srv.ACLClone(resp, req)
+	if !isPermissionDenied(err) {
+		t.Fatalf("err: %v", err)
+	}
+
+	req, _ = http.NewRequest("PUT", "/v1/acl/clone/"+id+"?token=root", nil)
+	resp = httptest.NewRecorder()
 	obj, err := a.srv.ACLClone(resp, req)
 	if err != nil {
 		t.Fatalf("err: %v", err)