Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
An unscoped policy using authorize_if always() allows anyone -
including unauthenticated requests - to perform all actions.
A policy is unscoped when its condition is always() or expr(true),
when every element of a list condition is one of those, when it has no
condition at all (Ash defaults the condition to true), or when its only
body-level condition is always()/expr(true). Conditions on
enclosing policy_groups count: Ash adds them to every policy the
group contains, so a policy inside policy_group actor_attribute_equals(:role, :admin)
is scoped even without a condition of its own.
Entity options do not scope: policy description: "..." do still
applies everywhere, and the condition is recognised whether passed
positionally or via the condition: option.
Checks apply top to bottom and the first one that reaches a decision
wins, so authorize_if always() preceded by a forbid_if/forbid_unless
is the deliberate allow-all-except pattern and is not flagged.
Guards that can never fire (forbid_if never(), forbid_unless always(),
boolean literals) do not count:
policy always() do
forbid_if actor_attribute_equals(:banned, true)
authorize_if always()
endScope permissive policies to specific actions or action types:
policy action_type(:read) do
authorize_if always()
end
policy action([:register, :sign_in]) do
authorize_if always()
endCheck-Specific Parameters
There are no specific parameters for this check.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.