Morpho

When inserting access control sections into EML documents created by Morpho, Morpho defaults to using a permission order of 'allowFirst' rather than 'denyFirst'. This creates an unintended problem when a deny statement is inserted for public access. For instance, the data-managers group below will be denied access after it has been granted access in the allow statement because it, too, belongs to the 'public' (everyone) group.

<access authSystem="ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org"
order="allowFirst">
<deny>
<principal>public</principal>
<permission>read</permission>
</deny>
<allow>
<principal>cn=data-managers,o=PISCO,dc=ecoinformatics,dc=org</principal>
<permission>all</permission>
</allow>
</access>

If the above had a permission order set to 'denyFirst', public read access would be denied, and then the allow statement would 'punch through' and provide all access to the data-managers group (which is the intention of this access statement).

Morpho should be configured to default to 'denyFirst' when creating acls to avoid this situation.