Severity: P2 (security — binding contract) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location: lib/ash_ui/runtime/bidirectional_binding.ex:58-74 + lib/ash_ui/liveview/event_handler.ex:359-364
write_binding/4 runs validate → sanitize → ResourceAccess.write_field and never calls Runtime.check_write_access/2 or BindingPolicy.can_write?/2, so the binding's own read_only flag, source-writability, and screen-ownership gates (REQ-AUTH-005) are skipped. The target resource's own Ash policies still run, so it isn't a blanket bypass — but a binding declared read_only stays writable whenever the underlying resource policy permits, defeating the documented binding contract.
Fix: gate write_binding with Runtime.check_write_access(user, binding) before update_resource.
2026-05-28 cross-repo review — see ariston-ui docs/audits/cross-repo-review-2026-05-28.md (finding B3).
Severity: P2 (security — binding contract) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location:
lib/ash_ui/runtime/bidirectional_binding.ex:58-74+lib/ash_ui/liveview/event_handler.ex:359-364write_binding/4runs validate → sanitize →ResourceAccess.write_fieldand never callsRuntime.check_write_access/2orBindingPolicy.can_write?/2, so the binding's ownread_onlyflag, source-writability, and screen-ownership gates (REQ-AUTH-005) are skipped. The target resource's own Ash policies still run, so it isn't a blanket bypass — but a binding declaredread_onlystays writable whenever the underlying resource policy permits, defeating the documented binding contract.Fix: gate
write_bindingwithRuntime.check_write_access(user, binding)beforeupdate_resource.2026-05-28 cross-repo review — see ariston-ui
docs/audits/cross-repo-review-2026-05-28.md(finding B3).