From 3319a8d28ef578e8825e6430b07686671d02721f Mon Sep 17 00:00:00 2001
From: Erik Timan <erik.timan@emqx.io>
Date: Tue, 3 Jan 2023 14:32:40 +0100
Subject: [PATCH] fix(mgmt_api): remove possibility to set clientid in /publish
 API

To avoid security confusion, we remove the possibility to specify the
client ID in the request body for /publish and /publish/bulk.
---
 apps/emqx_management/src/emqx_mgmt_api_publish.erl | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/apps/emqx_management/src/emqx_mgmt_api_publish.erl b/apps/emqx_management/src/emqx_mgmt_api_publish.erl
index 672de661b..b7c48a26a 100644
--- a/apps/emqx_management/src/emqx_mgmt_api_publish.erl
+++ b/apps/emqx_management/src/emqx_mgmt_api_publish.erl
@@ -102,12 +102,6 @@ fields(message) ->
                 required => false,
                 default => 0
             })},
-        {clientid,
-            hoconsc:mk(binary(), #{
-                desc => ?DESC(clientid),
-                required => false,
-                example => <<"api_example_client">>
-            })},
         {payload,
             hoconsc:mk(binary(), #{
                 desc => ?DESC(payload),
@@ -254,7 +248,6 @@ is_ok_deliver({_NodeOrShare, _MatchedTopic, {error, _}}) -> false.
 %% %%%%%% Below error codes are not implemented so far %%%%
 %%
 %% If HTTP request passes HTTP authentication, it is considered trusted.
-%% In the future, we may choose to check ACL for the provided MQTT Client ID
 %% 135                Not authorized                          401
 %%
 %% %%%%%% Below error codes are not applicable %%%%%%%
@@ -326,7 +319,6 @@ make_message(Map) ->
     Encoding = maps:get(<<"payload_encoding">>, Map, plain),
     case decode_payload(Encoding, maps:get(<<"payload">>, Map)) of
         {ok, Payload} ->
-            From = maps:get(<<"clientid">>, Map, http_api),
             QoS = maps:get(<<"qos">>, Map, 0),
             Topic = maps:get(<<"topic">>, Map),
             Retain = maps:get(<<"retain">>, Map, false),
@@ -346,7 +338,9 @@ make_message(Map) ->
                 error:_Reason ->
                     throw(invalid_topic_name)
             end,
-            Message = emqx_message:make(From, QoS, Topic, Payload, #{retain => Retain}, Headers),
+            Message = emqx_message:make(
+                http_api, QoS, Topic, Payload, #{retain => Retain}, Headers
+            ),
             Size = emqx_message:estimate_size(Message),
             (Size > size_limit()) andalso throw(packet_too_large),
             {ok, Message};