Severity: P3 (security posture — unsafe default) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location: lib/ash_ui/runtime/resource_access.ex:546
build_resolved sets authorize?: Map.get(context, :authorize?, not is_nil(actor)). In-repo LiveView contexts set authorize?: true explicitly, so production paths are covered, but the default is unsafe for any new caller that forgets it: no actor ⇒ no authorization on reads/writes.
Fix: default to true; require explicit authorize?: false for trusted system reads.
2026-05-28 cross-repo review — see ariston-ui docs/audits/cross-repo-review-2026-05-28.md (finding B6).
Severity: P3 (security posture — unsafe default) · Tier-2 (Pascal review)
Co-maintained repo (Pascal = architect).
Location:
lib/ash_ui/runtime/resource_access.ex:546build_resolvedsetsauthorize?: Map.get(context, :authorize?, not is_nil(actor)). In-repo LiveView contexts setauthorize?: trueexplicitly, so production paths are covered, but the default is unsafe for any new caller that forgets it: no actor ⇒ no authorization on reads/writes.Fix: default to
true; require explicitauthorize?: falsefor trusted system reads.2026-05-28 cross-repo review — see ariston-ui
docs/audits/cross-repo-review-2026-05-28.md(finding B6).