From 3506fe40998edf93f8cd960500479c85b8d74818 Mon Sep 17 00:00:00 2001
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 14 Oct 2020 12:09:48 +0100
Subject: [PATCH] Update docs for acl deny feature.

---
 ChangeLog.txt            |  1 +
 man/mosquitto.conf.5.xml |  3 ++-
 mosquitto.conf           | 12 ++++++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ChangeLog.txt b/ChangeLog.txt
index d824a74f..c073ca01 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -54,6 +54,7 @@ Broker:
 - Added support for controlling UNSUBSCRIBE calls in v5 plugin ACL checks.
 - Document that X509_free() must be called after using
   mosquitto_client_certificate(). Closes #1842.
+- Add "deny" acl type. Closes #1611.
 
 Client library:
 - Client no longer generates random client ids for v3.1.1 clients, these are
diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
index c44201a6..89276600 100644
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@@ -116,7 +116,8 @@
 						contain the + or # wildcards as in
 						subscriptions. The "deny" option can used to explicity
 						deny access to a topic that would otherwise be granted
-						by a broader read/write/readwrite statement.</para>
+						by a broader read/write/readwrite statement. Any "deny"
+						topics are handled before topics that grant read/write access.</para>
 
 					<para>The first set of topics are applied to anonymous
 						clients, assuming <option>allow_anonymous</option> is
diff --git a/mosquitto.conf b/mosquitto.conf
index 57f0cef9..b5ab55d0 100644
--- a/mosquitto.conf
+++ b/mosquitto.conf
@@ -536,13 +536,17 @@
 # comment.
 # Topic access is added with lines of the format:
 #
-# topic [read|write|readwrite] <topic>
+# topic [read|write|readwrite|deny] <topic>
 #
-# The access type is controlled using "read", "write" or "readwrite". This
-# parameter is optional (unless <topic> contains a space character) - if not
-# given then the access is read/write.  <topic> can contain the + or #
+# The access type is controlled using "read", "write", "readwrite" or "deny".
+# This parameter is optional (unless <topic> contains a space character) - if
+# not given then the access is read/write.  <topic> can contain the + or #
 # wildcards as in subscriptions.
 #
+# The "deny" option can used to explicity deny access to a topic that would
+# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
+# topics are handled before topics that grant read/write access.
+#
 # The first set of topics are applied to anonymous clients, assuming
 # allow_anonymous is true. User specific topic ACLs are added after a
 # user line as follows: