From 989476f9c58253d41aa249c8897733cf7738e268 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Sat, 2 May 2026 15:17:03 -0400 Subject: [PATCH 1/3] fix: update lonewolf permissions for FL mesh topics --- emqx/acl.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/emqx/acl.conf b/emqx/acl.conf index 5e130ae..3a3082c 100644 --- a/emqx/acl.conf +++ b/emqx/acl.conf @@ -12,8 +12,8 @@ %% Allow uplink username to publish to FL mesh topics except FL/LWS mesh topics, but not subscribe to any topics. {deny, {username, "uplink"}, all, ["msh/US/FL/LWS/#"]}. {allow, {username, "uplink"}, publish, ["msh/US/FL/#"]}. -%% Allow lonewolf username to publish+subscribe to FL/LWS mesh topics, but not subscribe to any topics. -{allow, {username, "lonewolf"}, all, ["msh/US/FL/LWS/#"]}. +%% Allow lonewolf username to publish+subscribe to FL mesh topics. +{allow, {username, "lonewolf"}, all, ["msh/US/FL/#"]}. %% Group users with identical permissions From 3b02944ad5cea7144f941304bc389a109c643f79 Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Mon, 4 May 2026 08:21:19 -0400 Subject: [PATCH 2/3] refactor: simplify default profile rules for Florida Mesh access --- mongodb/mqtt_init.js | 55 ++++++++------------------------------------ 1 file changed, 10 insertions(+), 45 deletions(-) diff --git a/mongodb/mqtt_init.js b/mongodb/mqtt_init.js index cf8f269..2185ae1 100644 --- a/mongodb/mqtt_init.js +++ b/mongodb/mqtt_init.js @@ -102,12 +102,6 @@ function ensureProfile(profileDoc) { function ensureDefaultProfiles() { /* - { - deny, - {username, "${username}"}, - all, - ["msh/US/FL/LWS/#"] - }. { allow, {username, "${username}"}, @@ -117,25 +111,10 @@ function ensureDefaultProfiles() { */ ensureProfile({ name: "default", - description: "Default Florida Mesh access. Deny Lone Wolf subtree and allow the broader Florida subtree.", + description: "Default Florida Mesh access.", status: "active", is_default: true, rules: [ - { - permission: "deny", - who: { - username: "${username}" - }, - action: { - type: "all" - }, - topics: [ - { - match: "filter", - value: "msh/US/FL/LWS/#" - } - ] - }, { permission: "allow", who: { @@ -190,7 +169,8 @@ function ensureDefaultProfiles() { { allow, {username, "${username}"}, - all, ["msh/US/FL/LWS/#"] + publish, + ["msh/US/FL/#"] }. { allow, @@ -201,7 +181,7 @@ function ensureDefaultProfiles() { */ ensureProfile({ name: "bridge", - description: "Florida Mesh Bridge profile. Allow PUBLISH to Florida subtree and $SYS/broker/connection/ topics.", + description: "Florida Mesh Bridge profile. Allow PUBLISH to Florida subtree and $SYS broker connection topics.", status: "active", is_default: false, rules: [ @@ -254,7 +234,7 @@ function ensureDefaultProfiles() { */ ensureProfile({ name: "fullbridge", - description: "Florida Mesh Full Bridge profile. Allow PUB/SUB to Florida subtree and $SYS/broker/connection/ topics.", + description: "Florida Mesh Full Bridge profile. Allow PUB/SUB to Florida subtree and $SYS broker connection topics.", status: "active", is_default: false, rules: [ @@ -292,12 +272,12 @@ function ensureDefaultProfiles() { }) /* - { - deny, - {username, "${username}"}, all, ["msh/US/FL/LWS/#"]}. { allow, - {username, "${username}"}, all, ["msh/US/FL/#"]}. + {username, "${username}"}, + all, + ["msh/US/FL/#"] + }. { allow, { @@ -313,25 +293,10 @@ function ensureDefaultProfiles() { */ ensureProfile({ name: "meshpoint", - description: "Meshpoint access. Deny Lone Wolf subtree and allow the broader Florida subtree and homeassistant topics.", + description: "Meshpoint access. Allow the broader Florida subtree and homeassistant topics.", status: "active", is_default: false, rules: [ - { - permission: "deny", - who: { - username: "${username}" - }, - action: { - type: "all" - }, - topics: [ - { - match: "filter", - value: "msh/US/FL/LWS/#" - } - ] - }, { permission: "allow", who: { From 5a06437d2626e9f9090a2174dd5f036251326cbf Mon Sep 17 00:00:00 2001 From: "Jeremy T. Bouse" Date: Mon, 4 May 2026 08:48:47 -0400 Subject: [PATCH 3/3] fix: update MQTT profile permissions to allow all actions on connection state topics --- mongodb/mqtt_init.js | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mongodb/mqtt_init.js b/mongodb/mqtt_init.js index 2185ae1..c769c30 100644 --- a/mongodb/mqtt_init.js +++ b/mongodb/mqtt_init.js @@ -176,7 +176,7 @@ function ensureDefaultProfiles() { allow, {username, "${username}"}, publish, - ["$SYS/broker/connection/${clientid}/state"] + ["$SYS/broker/connection/${clientid}/#"] }. */ ensureProfile({ @@ -206,12 +206,12 @@ function ensureDefaultProfiles() { username: "${username}" }, action: { - type: "publish" + type: "all" }, topics: [ { match: "filter", - value: "$SYS/broker/connection/${clientid}/state" + value: "$SYS/broker/connection/${clientid}/#" } ] } @@ -229,7 +229,7 @@ function ensureDefaultProfiles() { allow, {username, "${username}"}, publish, - ["$SYS/broker/connection/${clientid}/state"] + ["$SYS/broker/connection/${clientid}/#"] }. */ ensureProfile({ @@ -259,12 +259,12 @@ function ensureDefaultProfiles() { username: "${username}" }, action: { - type: "publish" + type: "all" }, topics: [ { match: "filter", - value: "$SYS/broker/connection/${clientid}/state" + value: "$SYS/broker/connection/${clientid}/#" } ] }