fix: acl pubsub should only glob match the channel (#5769)

publish command accepts only a single channel and a message, yet IsUserAllowedToInvokeCmd glob matched both the channel and the message which effectively rejected incorrectly the command execution because of permissions.

Signed-off-by: kostas <[email protected]>

Author: kostasrim

src/server/acl/acl_family_test.cc

@@ -538,6 +538,15 @@ TEST_F(AclFamilyTest, TestPubSub) {
   vec = resp.GetVec();
   EXPECT_THAT(vec[8], "channels");
   EXPECT_THAT(vec[9], "resetchannels &foo");
+
+  resp =
+      Run("ACL setuser demo on resetkeys resetchannels ~app|managed-resources|* "
+          "&app|managed-resources|* +publish +ping >passwd");
+  resp = Run("AUTH demo passwd");
+  EXPECT_THAT(resp, "OK");
+
+  resp = Run("publish app|managed-resources|xyz test");
+  EXPECT_THAT(resp, IntArg(0));
 }
 
 TEST_F(AclFamilyTest, TestAlias) {

src/server/acl/validator.cc

@@ -50,8 +50,14 @@ bool ValidateCommand(const std::vector<uint64_t>& acl_commands, const CommandId&
 
   bool allowed = true;
   if (!pub_sub.all_channels) {
-    for (auto channel : tail_args) {
+    std::string_view name = id.name();
+    if (name == "PUBLISH" || name == "SPUBLISH") {
+      auto channel = tail_args[0];
       allowed &= iterate_globs(facade::ToSV(channel));
+    } else {
+      for (auto channel : tail_args) {
+        allowed &= iterate_globs(facade::ToSV(channel));
+      }
     }
   }