I remember there is a TOCTOU-related vulnerability, where one should never default the access of a user to true and set to false if something goes wrong, but default it to false and set it to true only if everything goes right. However, I dont remember the precise vulnerability or the antipattern name. If some help to point those details could be provided, I would be really grateful.
Background: I'm in a team trying to justify why we need to default the validation functions to false instead of to true (although it sounds obvious, I want to give solid justification)