I’m playing around with the ACL feature in your Cedalo GUI. I’ve mostly figured out what each ACL type does except publishClientReceive does not appear to have any effect. It seems if I want to restrict which topics the client can receive, I have to restrict it’s subscriptions instead. In other words, my client can receive messages for any topics that it can subscribe to regardless of any publishClientReceive rule.
I hope you’ll forgive me a little bit of a long winded explanation with bits that aren’t necessarily directly related to your question 
The subscribe* and unsubscribe* checks occur when your client attempts to subscribe or unsubscribe from a topic. I agree that it is unlikely many people will want to use the unsubscribe rule, but it is there for completeness.
The publishClientSend and publishClientReceive checks occur around messages being published. publishClientSend controls what topics your client is allowed to publish to. publishClientReceive controls what topics your client can receive messages from, assuming it already has a subscription for that topic. In the internal broker workings, the broker receives a publish from a client, it searches the subscriptions to find which clients have subscriptions for the topic and it is at that point that each client is checked to see whether it is allowed to receive the message.
You’ve probably already seen that a client can have multiple roles, and be part of groups that also have multiple roles. Every one of the ACL checks works through the roles and ACLs in a specific order until it finds a matching topic. That means the first ACL rule that matches will determine the ACL result, either allow or deny. If there are no matching ACLs, the default ACL behaviour is used. By default this is set to deny for publishClientSend and subscribe - so your client can neither send nor receive messages, and set to allow for publishClientReceive and unsubscribe. Unsubscribe we’ve already said isn’t a useful rule for most people so it defaults to allow. publishClientReceive also defaults to allow because the subscribe rule is enough for most people and defaults to deny.
So, with all that background now let’s look at your case. You haven’t shared a screen shot of it, but I bet you haven’t changed the default behaviour for publishClientReceive to deny, which means any topics that don’t match an ACL will be allowed. Now looking at the specific ACL rule you have - it is also set to allow, so that means any topics matching that rule will be allowed.
Does that help?
2 Likes
Thanks for the explanation. That makes sense.