I concur - this makes sense.
On Tue, Dec 15, 2015, at 01:39 PM, Jan Høydahl wrote: > Yes, that’s why I believe it should be: > 1) if only authentication is enabled, all users must authenticate and all > authenticated users can do anything. > 2) if authz is enabled, then all users must still authenticate, and can > by default do nothing at all, unless assigned proper roles > 3) if a user is assigned the default “read” rule, and a collection adds a > custom “/myselect” handler, that one is unavailable until the user gets > it assigned > > -- > Jan Høydahl, search solution architect > Cominvent AS - www.cominvent.com > > > 14. des. 2015 kl. 14.15 skrev Noble Paul <noble.p...@gmail.com>: > > > > ". If all paths were closed by default, forgetting to configure a path > > would not result in a security breach like today." > > > > But it will still mean that unauthorized users are able to access, > > like guest being able to post to "/update". Just authenticating is not > > enough without proper authorization > > > > On Mon, Dec 14, 2015 at 3:59 PM, Jan Høydahl <jan....@cominvent.com> wrote: > >>> 1) "read" should cover all the paths > >> > >> This is very fragile. If all paths were closed by default, forgetting to > >> configure a path would not result in a security breach like today. > >> > >> /Jan > > > > > > > > -- > > ----------------------------------------------------- > > Noble Paul >