Refactor: NoActor to SimpleCheck with compile-time environment check

This prevents security issues where :create/:read without actor would be allowed in production. Now all operations require an actor in production.
2026-01-08 22:54:49 +01:00 · 2026-01-08 22:54:49 +01:00 · 236eb53a24
commit 236eb53a24
parent 6cd18545bd
2 changed files with 45 additions and 30 deletions
--- a/lib/membership/member.ex
+++ b/lib/membership/member.ex
@ -298,11 +298,12 @@ defmodule Mv.Membership.Member do
  # Authorization Policies
  # Order matters: Most specific policies first, then general permission check
  policies do
-    # SYSTEM OPERATIONS: Allow operations without actor (seeds, tests, system jobs)
-    # This must come first to allow database seeding and test fixtures
-    # IMPORTANT: Use bypass so this short-circuits and doesn't require other policies
+    # SYSTEM OPERATIONS: Allow CRUD operations without actor
+    # In test: All operations allowed (for test fixtures)
+    # In production: Only :create and :read allowed (enforced by NoActor.check)
+    # :read is needed for internal Ash lookups (e.g., relationship validation during user creation).
    bypass action_type([:create, :read, :update, :destroy]) do
-      description "Allow system operations without actor (seeds, tests)"
+      description "Allow system operations without actor (seeds, tests, internal lookups)"
      authorize_if Mv.Authorization.Checks.NoActor
    end