From 413728fcde2435f1abfb3e1001331b686e43a38f Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Fri, 1 Dec 2023 13:01:48 -0500
Subject: [PATCH] variables: fix access to variables for poststop tasks
 (#19270)

In the recent auth refactor, we accidentally fixed a bug where poststop tasks
would not get access to Variables. Fix this same bug for backports by ensuring
that we use client-terminal status and not server-terminal status to enforce
access.
---
 .changelog/19270.txt | 3 +++
 nomad/acl.go         | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 .changelog/19270.txt

diff --git a/.changelog/19270.txt b/.changelog/19270.txt
new file mode 100644
index 000000000..50b19082f
--- /dev/null
+++ b/.changelog/19270.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+variables: Fixed a bug where poststop tasks were not allowed access to Variables
+```
diff --git a/nomad/acl.go b/nomad/acl.go
index 90afed9fd..43960bda7 100644
--- a/nomad/acl.go
+++ b/nomad/acl.go
@@ -247,7 +247,7 @@ func (s *Server) VerifyClaim(token string) (*structs.IdentityClaims, error) {
 	}
 
 	// the claims for terminal allocs are always treated as expired
-	if alloc.TerminalStatus() {
+	if alloc.ClientTerminalStatus() {
 		return nil, fmt.Errorf("allocation is terminal")
 	}