nats-io · matthiashanel · Aug 23, 2022 · Aug 23, 2022 · Aug 23, 2022 · Aug 23, 2022
@@ -513,6 +513,10 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
 		}
 		return emittedList, nil
 	}
+
+	subAllowWasEmpty := len(lim.Permissions.Sub.Allow) > 0
+	pubAllowWasEmpty := len(lim.Permissions.Pub.Allow) > 0
+
 	var err error
 	if lim.Permissions.Sub.Allow, err = applyTemplate(lim.Permissions.Sub.Allow, false); err != nil {
 		return jwt.UserPermissionLimits{}, err
@@ -523,6 +527,14 @@ func processUserPermissionsTemplate(lim jwt.UserPermissionLimits, ujwt *jwt.User
 	} else if lim.Permissions.Pub.Deny, err = applyTemplate(lim.Permissions.Pub.Deny, true); err != nil {
 		return jwt.UserPermissionLimits{}, err
 	}
+
+	// if pub/sub allow where not empty, but are empty post template processing, add in a deny to compensate
+	if subAllowWasEmpty && len(lim.Permissions.Sub.Allow) == 0 {
+		lim.Permissions.Sub.Deny.Add(">")
+	}
+	if pubAllowWasEmpty && len(lim.Permissions.Pub.Allow) == 0 {
+		lim.Permissions.Pub.Deny.Add(">")
+	}
 	return lim, nil
 }
 

@@ -4416,8 +4416,10 @@ func TestJwtTemplates(t *testing.T) {
 	test(resLim.Pub.Deny, []string{"foo1.acc1", "foo1.acc2", "foo2.acc1", "foo2.acc2"})
 
 	require_True(t, len(resLim.Sub.Allow) == 0)
-	require_True(t, len(resLim.Sub.Deny) == 1)
+	require_True(t, len(resLim.Sub.Deny) == 2)
 	require_Contains(t, resLim.Sub.Deny[0], fmt.Sprintf("foo.myname.%s.accname.%s.bar", upub, aPub))
+	// added in to compensate for sub allow not resolving
+	require_Contains(t, resLim.Sub.Deny[1], fmt.Sprintf(">"))
 
 	lim.Pub.Deny.Add("{{tag(NOT_THERE)}}")
 	_, err = processUserPermissionsTemplate(lim, uclaim, acc)