From 004bd3c5cda9304c4af480ca08cb37badd433eed Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 28 Oct 2020 10:31:51 +0000
Subject: [PATCH] Dynsec: Set default behaviour to be less restrictive.

Publish broker to client and unsubscribe are now allowed by default. With Publish client to broker and subscribe denied by default there is still no way a client can exchange messages, but it is now easier to administer.
---
 apps/mosquitto_ctrl/dynsec.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/apps/mosquitto_ctrl/dynsec.c b/apps/mosquitto_ctrl/dynsec.c
index 64a258d7..56beddc4 100644
--- a/apps/mosquitto_ctrl/dynsec.c
+++ b/apps/mosquitto_ctrl/dynsec.c
@@ -322,12 +322,30 @@ static cJSON *init_add_client(const char *username, const char *password, const
 static cJSON *init_create(const char *username, const char *password, const char *rolename)
 {
 	cJSON *tree, *j_clients, *j_client, *j_roles, *j_role;
+	cJSON *j_default_access;
 
 	tree = cJSON_CreateObject();
 	if(tree == NULL) return NULL;
 
 	if((j_clients = cJSON_AddArrayToObject(tree, "clients")) == NULL
 			|| (j_roles = cJSON_AddArrayToObject(tree, "roles")) == NULL
+			|| (j_default_access = cJSON_AddObjectToObject(tree, "defaultACLAccess")) == NULL
+			){
+
+		cJSON_Delete(tree);
+		return NULL;
+	}
+
+	/* Set default behaviour:
+	 * * Client can not publish to the broker by default.
+	 * * Broker *CAN* publish to the client by default.
+	 * * Client con not subscribe to topics by default.
+	 * * Client *CAN* unsubscribe from topics by default.
+	 */
+	if(cJSON_AddBoolToObject(j_default_access, "publishClientToBroker", false) == NULL
+			|| cJSON_AddBoolToObject(j_default_access, "publishBrokerToClient", true) == NULL
+			|| cJSON_AddBoolToObject(j_default_access, "subscribe", false) == NULL
+			|| cJSON_AddBoolToObject(j_default_access, "unsubscribe", true) == NULL
 			){
 
 		cJSON_Delete(tree);