The publish client can publish some topics even without the permission.
I have configured file-based realm. For the subscribe, it will get not authorized response code if it tries to subscribe some topics that are not in the config file.
For the publisher, it can publish some topics that are not in the permission list.
It seems like there might be a mistake in your permission configuration file. Based on your description, the file-based realm is working correctly for subscription, as it returns a not authorized response code when attempting to subscribe to unauthorized topics.
However, for publishing, it appears that the publisher can publish topics that are not in the permission list. This indicates a potential issue in your permission configuration.
Double-check your configuration file to ensure that the permissions for publishing are set up correctly. Verify that the topics you want to restrict for publishing are properly defined in the file, and that the publisher’s permissions are accurately configured to prevent publishing to unauthorized topics.
Dasha from HiveMQ Team