diff --git a/pkg/rbac/rbac.go b/pkg/rbac/rbac.go
index 58da816..3d4cce6 100644
--- a/pkg/rbac/rbac.go
+++ b/pkg/rbac/rbac.go
@@ -12,13 +12,18 @@ import (
 
 var (
 	ErrBadSubject = errors.New("bad subject in token")
+	ErrAccessDenied = errors.New("access denied")
 )
 
-func ErrAccessDenied(err error) *restrict.AccessDeniedError {
+func IsErrAccessDenied(err error) error {
 	if accessErr, ok := err.(*restrict.AccessDeniedError); ok {
 		return accessErr
 	}
 
+	if err == ErrAccessDenied {
+		return err
+	}
+
 	return nil
 }
 
@@ -115,5 +120,7 @@ func (r *rbac) Check(ctx context.Context, res restrict.Resource, opts ...CheckOp
 		Context:  o.context,
 	}
 
-	return sub, r.access.Authorize(req)
+	authRes := r.access.Authorize(req)
+
+	return sub, authRes
 }
diff --git a/pkg/rest/api.go b/pkg/rest/api.go
index 2a02206..6fc0fd8 100644
--- a/pkg/rest/api.go
+++ b/pkg/rest/api.go
@@ -179,7 +179,7 @@ func autoError(err error) render.Renderer {
 		}
 	}
 
-	if rbac.ErrAccessDenied(err) != nil {
+	if rbac.IsErrAccessDenied(err) != nil {
 		return forbiddenErrText(err)
 	}
 
diff --git a/pkg/shares/store.go b/pkg/shares/store.go
index 46dd3e6..85cae56 100644
--- a/pkg/shares/store.go
+++ b/pkg/shares/store.go
@@ -123,7 +123,7 @@ func (s *postgresStore) Shares(ctx context.Context, p SharesParams) (shares []*S
 	case *entities.SystemServiceSubject:
 		owner = nil
 	default:
-		return nil, 0, rbac.ErrAccessDenied(rbac.ErrNotAuthorized)
+		return nil, 0, rbac.ErrAccessDenied
 	}
 
 	db := database.FromCtx(ctx)
diff --git a/pkg/sources/http.go b/pkg/sources/http.go
index dbc51f7..e004621 100644
--- a/pkg/sources/http.go
+++ b/pkg/sources/http.go
@@ -134,7 +134,7 @@ func (h *RdioHTTP) routeCallUpload(w http.ResponseWriter, r *http.Request) {
 	}
 	err = h.ing.Ingest(entities.CtxWithSubject(ctx, submitterSub), call)
 	if err != nil {
-		if rbac.ErrAccessDenied(err) != nil {
+		if rbac.IsErrAccessDenied(err) != nil {
 			log.Error().Err(err).Msg("ingest failed")
 			http.Error(w, "Call ingest failed.", http.StatusForbidden)
 		}