Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Using authorize?: false bypasses Ash authorization entirely, making it
easy to accidentally skip policy checks. Instead, use system actors with
bypass policies so that authorization is always enforced and auditable.
# Bad — skips all authorization
Ash.read!(query, authorize?: false)
# Good — uses a named system actor
Ash.read!(query, actor: %{system: :my_context})
# In resource policies:
bypass expr(not is_nil(^actor(:system))) do
authorize_if always()
endFor code inside action changes/validations that needs to read related data,
use scope: context to inherit the caller's authorization context:
Ash.get!(Resource, id, scope: context)Note: By default this check flags authorize?: false anywhere it appears as a
literal — Ash API calls, action DSL definitions, variable assignments, and
wrapper functions. Set include_non_ash_calls: false to restrict detection
to Ash API calls and action DSL definitions only.
In either mode the check is purely syntactic: it cannot follow values through variables, config lookups, or function return values.
Check-Specific Parameters
Use the following parameters to configure this check:
:include_non_ash_calls
When true (default), flags authorize?: false anywhere in source. When false, only checks Ash API calls and action DSL definitions.
This parameter defaults to true.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.