Remove NoActor bypass from User and Member policies

This removes the NoActor bypass that was masking authorization bugs in tests. All operations now require an explicit actor for authorization.
2026-01-23 20:00:18 +01:00 · 2026-01-23 20:00:18 +01:00 · e72b7ab2e8
commit e72b7ab2e8
parent b6992f8488
2 changed files with 6 additions and 17 deletions
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -275,12 +275,6 @@ defmodule Mv.Accounts.User do
      authorize_if always()
    end

-    # NoActor bypass (test fixtures only, see no_actor.ex)
-    bypass action_type([:create, :read, :update, :destroy]) do
-      description "Allow system operations without actor (test environment only)"
-      authorize_if Mv.Authorization.Checks.NoActor
-    end
-
    # READ bypass for list queries (scope :own via expr)
    bypass action_type(:read) do
      description "Users can always read their own account"