Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
actor: and tenant: belong on the query/changeset/input, set when it
is built - not in the options of the action call. This enforces the
rule from Ash's authorization usage rules ("Always set the actor on the
query/changeset/input, not when calling the action").
# Bad - the query was built without the actor
Post
|> Ash.Query.for_read(:read, %{})
|> Ash.read!(actor: current_user)
# Good - the actor is part of the action context from the start
Post
|> Ash.Query.for_read(:read, %{}, actor: current_user)
|> Ash.read!()When a query, changeset, or action input is built via for_read,
for_create, and friends, everything that runs at build time sees the
actor and tenant it was built with; supplying them only at call time
leaves that build-time context inconsistent.
Only calls whose subject visibly went through a for_* builder are
flagged. Forms without a pre-built subject, such as
Ash.read!(Post, actor: actor) or code interface calls like
MyApp.Blog.list_posts!(actor: actor), are sanctioned - there Ash
builds the action context with the given actor itself. The check is
purely syntactic: it follows pipes and simple variable bindings, but
cannot see builders hidden behind function calls.
Check-Specific Parameters
There are no specific parameters for this check.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.