Remove NoActor module, improve Member validation, update docs

2026-01-24 10:43:20 +01:00 · 2026-01-24 10:43:20 +01:00 · b545d2b9e1
commit b545d2b9e1
parent 71c13d0ac0
4 changed files with 40 additions and 127 deletions
--- a/CODE_GUIDELINES.md
+++ b/CODE_GUIDELINES.md
@ -1699,6 +1699,24 @@ end

 **IMPORTANT:** All tests must explicitly provide an actor for Ash operations. The NoActor bypass has been removed to prevent masking authorization bugs.

+**Exception: AshAuthentication Bypass Tests**
+
+Tests that verify the AshAuthentication bypass mechanism are a **conscious exception**. These tests must verify that registration/login works **without an actor** via the `AshAuthenticationInteraction` check. To enable this bypass in tests, set the context explicitly:
+
+```elixir
+# ✅ GOOD - Testing AshAuthentication bypass (conscious exception)
+changeset =
+  Accounts.User
+  |> Ash.Changeset.for_create(:register_with_password, %{...})
+  |> Ash.Changeset.set_context(%{private: %{ash_authentication?: true}})
+
+{:ok, user} = Ash.create(changeset)  # No actor - tests bypass mechanism
+
+# ❌ BAD - Using system_actor masks the bypass test
+system_actor = Mv.Helpers.SystemActor.get_system_actor()
+Ash.create(changeset, actor: system_actor)  # Tests admin permissions, not bypass!
+```
+
 **Test Fixtures:**

 All test fixtures use `system_actor` for authorization: