mirror of
https://codeberg.org/redict/redict.git
synced 2025-01-23 08:38:27 -05:00
c1b1e8c329
Fixes #7923. This PR appropriates the special `&` symbol (because `@` and `*` are taken), followed by a literal value or pattern for describing the Pub/Sub patterns that an ACL user can interact with. It is similar to the existing key patterns mechanism in function (additive) and implementation (copy-pasta). It also adds the allchannels and resetchannels ACL keywords, naturally. The default user is given allchannels permissions, whereas new users get whatever is defined by the acl-pubsub-default configuration directive. For backward compatibility in 6.2, the default of this directive is allchannels but this is likely to be changed to resetchannels in the next major version for stronger default security settings. Unless allchannels is set for the user, channel access permissions are checked as follows : * Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the argumentative channel name(s) exists for the user. * Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument literally exist(s) in the user's list. Such failures are logged to the ACL log. Runtime changes to channel permissions for a user with existing subscribing clients cause said clients to disconnect unless the new permissions permit the connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be disconnected. Notes/questions: * UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons for touching them. |
||
|---|---|---|
| .. | ||
| auth.tcl | ||
| blockedclient.tcl | ||
| blockonkeys.tcl | ||
| commandfilter.tcl | ||
| datatype.tcl | ||
| fork.tcl | ||
| getkeys.tcl | ||
| hooks.tcl | ||
| infotest.tcl | ||
| keyspace_events.tcl | ||
| misc.tcl | ||
| propagate.tcl | ||
| scan.tcl | ||
| test_lazyfree.tcl | ||
| testrdb.tcl | ||
| timer.tcl | ||