Skills

phoenix-authorization-patterns

Installation
SKILL.md

Phoenix Authorization Patterns

RULES — Follow these with no exceptions

  1. Always authorize on the server in event handlers — UI-only checks (hiding buttons) are not security; always verify in handle_event/3
  2. Verify resource ownership by comparing current_scope.user.id against the resource's user_id — never trust client-sent user IDs
  3. Use policy modules for complex authorization — don't inline permission checks in LiveViews or controllers
  4. Add data-confirm attribute for destructive UI actions — client-side confirmation before server round-trip
  5. Test both authorized and unauthorized paths — every handle_event that mutates data needs an authz test proving unauthorized access is rejected
  6. Scope queries to the current user in contextswhere(user_id: ^user_id) prevents IDOR vulnerabilities

Server-Side Authorization in LiveViews

UI checks prevent accidental clicks. Server checks prevent attacks. You need both.

Installs
2
Repository
j-morgan6/elixi…ix-guide
GitHub Stars
134
First Seen
Apr 21, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
phoenix-authorization-patterns — j-morgan6/elixir-phoenix-guide