plugins.topic_checking: Check the `action` in `topic_acl`.

We maintain backward compatibility with older configurations by assuming all `PUBLISH` actions are permitted if no ACL is present. Otherwise, we follow the same rules as for `SUBSCRIBE`, with the exception that we read the ACL from the `publish-acl` property instead of `acl`.
2021-06-06 15:44:51 +10:00 · 2021-06-06 15:44:51 +10:00 · ed11f7cb9c
commit ed11f7cb9c
--- a/amqtt/plugins/topic_checking.py
+++ b/amqtt/plugins/topic_checking.py
@ -66,11 +66,24 @@ class TopicAccessControlListPlugin(BaseTopicPlugin):
        if filter_result:
            session = kwargs.get("session", None)
            req_topic = kwargs.get("topic", None)
+            action = kwargs.get("action", None)
+
+            # hbmqtt and older amqtt do not support publish filtering
+            if (action == "publish") and ("publish-acl" not in self.topic_config):
+                # maintain backward compatibility, assume permitted
+                return True
+
            if req_topic:
                username = session.username
                if username is None:
                    username = "anonymous"
-                allowed_topics = self.topic_config["acl"].get(username, None)
+
+                if action == "publish":
+                    acl = self.topic_config["publish-acl"]
+                elif action == "subscribe":
+                    acl = self.topic_config["acl"]
+
+                allowed_topics = acl.get(username, None)
                if allowed_topics:
                    for allowed_topic in allowed_topics:
                        if self.topic_ac(req_topic, allowed_topic):