From 571b5e67739cb885ec29d3b2a7d7ae4dc3b89b9b Mon Sep 17 00:00:00 2001
From: Max Russell <max.russell@hpe.com>
Date: Tue, 13 Feb 2024 17:37:02 -0800
Subject: [PATCH] fix: stop double substituting unauthorized error (#1191)

---
 master/internal/api_notebook.go       | 12 +++++++++++-
 master/internal/command/authz_rbac.go |  6 +-----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/master/internal/api_notebook.go b/master/internal/api_notebook.go
index 3f48367ea705..c85968047eaf 100644
--- a/master/internal/api_notebook.go
+++ b/master/internal/api_notebook.go
@@ -35,6 +35,7 @@ import (
 	"github.com/determined-ai/determined/master/pkg/tasks"
 	"github.com/determined-ai/determined/proto/pkg/apiv1"
 	"github.com/determined-ai/determined/proto/pkg/notebookv1"
+	"github.com/determined-ai/determined/proto/pkg/rbacv1"
 	"github.com/determined-ai/determined/proto/pkg/workspacev1"
 )
 
@@ -211,7 +212,16 @@ func (a *apiServer) isNTSCPermittedToLaunch(
 		if err := command.AuthZProvider.Get().CanGetTensorboard(
 			ctx, *user, workspaceID, spec.Metadata.ExperimentIDs, spec.Metadata.TrialIDs,
 		); err != nil {
-			return authz.SubIfUnauthorized(err, apiutils.MapAndFilterErrors(err, nil, nil))
+			var pdErr authz.PermissionDeniedError
+			if errors.As(err, &pdErr) {
+				for _, perm := range pdErr.RequiredPermissions {
+					if perm == rbacv1.PermissionType_PERMISSION_TYPE_VIEW_WORKSPACE {
+						return apiutils.ErrNotFound
+					}
+				}
+			}
+
+			return apiutils.MapAndFilterErrors(err, nil, nil)
 		}
 	} else {
 		if err := command.AuthZProvider.Get().CanCreateNSC(
diff --git a/master/internal/command/authz_rbac.go b/master/internal/command/authz_rbac.go
index 1c83a4a73456..6f80631344fd 100644
--- a/master/internal/command/authz_rbac.go
+++ b/master/internal/command/authz_rbac.go
@@ -4,9 +4,6 @@ import (
 	"context"
 	"fmt"
 
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
 	log "github.com/sirupsen/logrus"
 
 	"github.com/determined-ai/determined/master/internal/authz"
@@ -191,8 +188,7 @@ func (a *NSCAuthZRBAC) CanGetTensorboard(
 	err := a.checkForPermission(ctx, curUser, workspaceID,
 		rbacv1.PermissionType_PERMISSION_TYPE_VIEW_WORKSPACE)
 	if err != nil {
-		return authz.SubIfUnauthorized(err,
-			status.Errorf(codes.NotFound, "workspace (%d) not found", workspaceID))
+		return err
 	}
 
 	expToWorkspaceIDs, err := db.ExperimentIDsToWorkspaceIDs(ctx, experimentIDs)