Security stance

I’m trying to wrap my head around how to configure content permissions with s2member. At the crux if my confusion is that I’m not sure if s2member implements default deny, or default permit:

http://en.wikipedia.org/wiki/Security_engineering#Security_stance
————————————–
The two possible default positions on security matters are:

1. Default deny – “Everything, not explicitly permitted, is forbidden”

Improves security at a cost in functionality.
This is a good approach if you have lots of security threats.
See secure computing for a discussion of computer security using this approach.

2. Default permit – “Everything, not explicitly forbidden, is permitted”

Allows greater functionality by sacrificing security.
This is only a good approach in an environment where security threats are non-existent or negligible.
See computer insecurity for an example of the failure of this approach in the real world.
————————————–

I would prefer to use the “default deny” approach, meaning that any new post,page,tag,category, etc. is not visible by default unless “they” (i.e. visitors, level 1 members, level 2 members, etc.) have specifically been granted the ability to view that content.

But just reading the choices I have with s2member, its continually talking about restricting things, instead of allowing things. Meaning that by default everything is allowed, unless you specifically restrict something.

Am I correct in understanding that s2member implements a “default permit” philosophy? Is there a way to configure s2member to implement “default deny” instead?

I’m primarily worried about the human factor, and content being exposed because it is visible by default, and someone forgot to restrict it.

Thanks,
Casey

Hello Casey,

You are correct, s2Member takes the blacklist approach (default permit).

Currently there is no way to make it take the whitelist approach though (default deny).

If you want this you will have to code it in yourself in order for s2Member to work like this.

– Eduan