Currently if all auth0 rules were deleted in order to resolve an ordering issue (like what we're doing currently in dev) the absence of any rules would cause sites that use things like AccessRules to allow all authenticated users into the site regardless of group membership. Currently and in the future there could be other rules which effectively deny users from accessing something.
In order to mitigate against this risk, let's make auth0 rules work more like firewally rules by adding a "default deny" rule to run at the very end of the rule order. This would mean that if all other rules were deleted, other than this "default deny" rule, users would be barred from logging in to any site.
The assumption here is that it's better to bar everyone from accessing any site, than to allow an unauthorized user from accessing a site they shouldn't be allowed to.
@gdestuynder suggested this could be accomplished by creating a "default deny" rule and putting it in order position 999 or some such large number.
Currently if all auth0 rules were deleted in order to resolve an ordering issue (like what we're doing currently in dev) the absence of any rules would cause sites that use things like
AccessRulesto allow all authenticated users into the site regardless of group membership. Currently and in the future there could be other rules which effectively deny users from accessing something.In order to mitigate against this risk, let's make auth0 rules work more like firewally rules by adding a "default deny" rule to run at the very end of the rule order. This would mean that if all other rules were deleted, other than this "default deny" rule, users would be barred from logging in to any site.
The assumption here is that it's better to bar everyone from accessing any site, than to allow an unauthorized user from accessing a site they shouldn't be allowed to.
@gdestuynder suggested this could be accomplished by creating a "default deny" rule and putting it in order position
999or some such large number.