AshCredo.Check.Warning.OverlyPermissivePolicy (ash_credo v0.16.0)

Copy Markdown View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

An unscoped policy using authorize_if always() allows anyone - including unauthenticated requests - to perform all actions.

A policy is unscoped when its condition is always() or expr(true), when every element of a list condition is one of those, when it has no condition at all (Ash defaults the condition to true), or when its only body-level condition is always()/expr(true). Conditions on enclosing policy_groups count: Ash adds them to every policy the group contains, so a policy inside policy_group actor_attribute_equals(:role, :admin) is scoped even without a condition of its own.

Entity options do not scope: policy description: "..." do still applies everywhere, and the condition is recognised whether passed positionally or via the condition: option.

Checks apply top to bottom and the first one that reaches a decision wins, so authorize_if always() preceded by a forbid_if/forbid_unless is the deliberate allow-all-except pattern and is not flagged. Guards that can never fire (forbid_if never(), forbid_unless always(), boolean literals) do not count:

policy always() do
  forbid_if actor_attribute_equals(:banned, true)
  authorize_if always()
end

Scope permissive policies to specific actions or action types:

policy action_type(:read) do
  authorize_if always()
end

policy action([:register, :sign_in]) do
  authorize_if always()
end

Check-Specific Parameters

There are no specific parameters for this check.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.