Morpho

[4:36pm] matt: i just caught up on your earlier irc chat
[4:36pm] matt: wanted to chime in
[4:36pm] matt: chris said:
[4:36pm] matt: chris: right - it seems like an odd case. I think that
the vast majority of cases, people will want to deny public access,
and puch through access for other groups or individuals
[4:36pm] matt: and also:
[4:37pm] matt: you said:
[4:37pm] matt: daigle: the only real exception that I see is allowing
access to the whole, but denying it to individuals/groups
[4:37pm] matt: [2:44pm] daigle: that does not seem like a large use case
[4:37pm] matt: i actually think that is the only use case for using denyFirst
[4:37pm] matt: sorry , i actually think that is the only use case for
using deny at all
[4:38pm] daigle: right
[4:38pm] daigle: only one I could think of
[4:38pm] matt: the default, in the absence of a public=read rule, is to deny
[4:38pm] matt: so, most of the time, someone will positively add some
allow rules
[4:39pm] matt: and then they may want to exclude some people from that group
[4:39pm] matt: ie, grant kruger-tpc=read, but deny regetz
[4:39pm] matt: for that you would want allowFirst
[4:39pm] matt: if all you are doing is granting permissions to people,
you can leave the defaults and just add in an allow rule
[4:39pm] matt: make sense?
[4:40pm] daigle: uh
[4:40pm] daigle: default deny then add then deny
[4:40pm] matt: its a bit convulted to add deny public=read and then
allow kruger-tpc=read, because the deny public was implicit even
without the rule
[4:41pm] matt: i.e., if you want to deny public access, simply remove
the public=read rule and you're done
[4:43pm] daigle: okay
[4:43pm] matt: the only good reasons I can see to deny someone are to
1) efficiency: grant access to a big group but excise a few people, in
which case you want default rules to be allowFirst
[4:44pm] daigle: right
[4:44pm] matt: and 2) guarantee that a particular user doesn't have
access (indirectly via a group), in which case you still want
allowFirst
[4:45pm] matt: so thanks for hearing me out -- I just wanted to be
clear that Morpho's default allowFirst rule is the right rule in my
opinion

This is not just change from "denyFirst" to "allowFirst", we may do this for both top and entity level access rules:

If the user selects "No" (i.e., don't allow public read) and does nothing else, then an explicit public <deny> rule is inserted. This is required to override the
top-level access rules.

But if the user selects "No" and adds at least one special access rule (for a user/group), then the special access rule(s) is/are inserted, and the public <deny>
rule is omitted because it is now superfluous. I think allowFirst will be fine this way.