Update docs for acl deny feature.

ChangeLog.txt

@@ -54,6 +54,7 @@ Broker:
 - Added support for controlling UNSUBSCRIBE calls in v5 plugin ACL checks.
 - Document that X509_free() must be called after using
   mosquitto_client_certificate(). Closes #1842.
+- Add "deny" acl type. Closes #1611.
 
 Client library:
 - Client no longer generates random client ids for v3.1.1 clients, these are

man/mosquitto.conf.5.xml

@@ -116,7 +116,8 @@
 						contain the + or # wildcards as in
 						subscriptions. The "deny" option can used to explicity
 						deny access to a topic that would otherwise be granted
-						by a broader read/write/readwrite statement.</para>
+						by a broader read/write/readwrite statement. Any "deny"
+						topics are handled before topics that grant read/write access.</para>
 
 					<para>The first set of topics are applied to anonymous
 						clients, assuming <option>allow_anonymous</option> is

mosquitto.conf

@@ -536,13 +536,17 @@
 # comment.
 # Topic access is added with lines of the format:
 #
-# topic [read|write|readwrite] <topic>
+# topic [read|write|readwrite|deny] <topic>
 #
-# The access type is controlled using "read", "write" or "readwrite". This
+# The access type is controlled using "read", "write", "readwrite" or "deny".
-# parameter is optional (unless <topic> contains a space character) - if not
+# This parameter is optional (unless <topic> contains a space character) - if
-# given then the access is read/write.  <topic> can contain the + or #
+# not given then the access is read/write.  <topic> can contain the + or #
 # wildcards as in subscriptions.
 #
+# The "deny" option can used to explicity deny access to a topic that would
+# otherwise be granted by a broader read/write/readwrite statement. Any "deny"
+# topics are handled before topics that grant read/write access.
+#
 # The first set of topics are applied to anonymous clients, assuming
 # allow_anonymous is true. User specific topic ACLs are added after a
 # user line as follows: