OeditusCredo.Check.Security.MissingAuthorization (OeditusCredo v0.5.0)

View Source

Basics

This check is disabled by default.

Learn how to enable it via .credo.exs.

This check has a base priority of high and works with any version of Elixir.

Explanation

Detects potential missing authorization checks (CWE-862).

Sensitive operations such as Repo.delete/2, Repo.update/2, and Repo.insert/2 should be protected by authorization checks.

Bad:

def delete(conn, %{"id" => id}) do
  post = Repo.get!(Post, id)
  Repo.delete!(post)
end

Good:

def delete(conn, %{"id" => id}) do
  post = Repo.get!(Post, id)
  authorize!(conn.assigns.current_user, :delete, post)
  Repo.delete!(post)
end

Check-Specific Parameters

Use the following parameters to configure this check:

:exclude_test_files

Set to true to skip test files (default: false)

This parameter defaults to nil.

:extra_auth_indicators

Additional authorization indicator substrings to recognize (default: [])

This parameter defaults to nil.

General Parameters

Like with all checks, general params can be applied.

Parameters can be configured via the .credo.exs config file.