Yes, that’s why I believe it should be: 1) if only authentication is enabled, all users must authenticate and all authenticated users can do anything. 2) if authz is enabled, then all users must still authenticate, and can by default do nothing at all, unless assigned proper roles 3) if a user is assigned the default “read” rule, and a collection adds a custom “/myselect” handler, that one is unavailable until the user gets it assigned
-- Jan Høydahl, search solution architect Cominvent AS - www.cominvent.com > 14. des. 2015 kl. 14.15 skrev Noble Paul <noble.p...@gmail.com>: > > ". If all paths were closed by default, forgetting to configure a path > would not result in a security breach like today." > > But it will still mean that unauthorized users are able to access, > like guest being able to post to "/update". Just authenticating is not > enough without proper authorization > > On Mon, Dec 14, 2015 at 3:59 PM, Jan Høydahl <jan....@cominvent.com> wrote: >>> 1) "read" should cover all the paths >> >> This is very fragile. If all paths were closed by default, forgetting to >> configure a path would not result in a security breach like today. >> >> /Jan > > > > -- > ----------------------------------------------------- > Noble Paul
