Severity: P2 (security — fail-open) · Tier-1 (mechanical; coordinate with Pascal per co-maintain policy)
Co-maintained repo (Pascal = architect).
Location: lib/ash_ui/authorization/runtime.ex:433-456; lib/ash_ui/authorization/policies.ex:357,360-362; lib/ash_ui/runtime/resource_access.ex:602-604
The auth layer treats errors as authorized: check_policy/3 wraps its body in rescue _ -> :ok; Policies.can_access_resource?/3 has {:error,_} -> true and rescue _ -> true; ResourceAccess.authorized_record?/3 has rescue _ -> true. Any error inside policy evaluation silently becomes "allow."
Fix: change the rescue/error arms to deny ({:error, :policy_error} / false) and log the exception. For an auth path the default must fail closed.
2026-05-28 cross-repo review — see ariston-ui docs/audits/cross-repo-review-2026-05-28.md (finding B2).
Severity: P2 (security — fail-open) · Tier-1 (mechanical; coordinate with Pascal per co-maintain policy)
Co-maintained repo (Pascal = architect).
Location:
lib/ash_ui/authorization/runtime.ex:433-456;lib/ash_ui/authorization/policies.ex:357,360-362;lib/ash_ui/runtime/resource_access.ex:602-604The auth layer treats errors as authorized:
check_policy/3wraps its body inrescue _ -> :ok;Policies.can_access_resource?/3has{:error,_} -> trueandrescue _ -> true;ResourceAccess.authorized_record?/3hasrescue _ -> true. Any error inside policy evaluation silently becomes "allow."Fix: change the rescue/error arms to deny (
{:error, :policy_error}/false) and log the exception. For an auth path the default must fail closed.2026-05-28 cross-repo review — see ariston-ui
docs/audits/cross-repo-review-2026-05-28.md(finding B2).