Phoenix Code Review
Quick Reference
references/controllers.md |
| Pipelines, scopes, verified routes |
references/routing.md |
| Custom plugs, authentication |
references/plugs.md |
Review Checklist
Controllers
- - [ ] Business logic in contexts, not controllers
- [ ] Controllers return proper HTTP status codes
- [ ] Action clauses handle all expected patterns
- [ ] Fallback controllers handle errors consistently
Contexts
- - [ ] Contexts are bounded by domain, not technical layer
- [ ] Public functions have clear, domain-focused names
- [ ] Changesets validate all user input
- [ ] No Ecto queries in controllers
Routing
- - [ ] Verified routes (~p sigil) used, not string paths
- [ ] Pipelines group related plugs
- [ ] Resources use only needed actions
- [ ] Scopes group related routes
Plugs
- - [ ] Authentication/authorization via plugs
- [ ] Plugs are composable and single-purpose
- [ ] Halt called after sending response in plugs
JSON APIs
- - [ ] Proper content negotiation
- [ ] Consistent error response format
- [ ] Pagination for list endpoints
Valid Patterns (Do NOT Flag)
- - Controller calling multiple contexts - Valid for orchestration
- Inline Ecto query in context - Context owns its data access
- Using
action_fallback - Centralized error handling pattern - Multiple pipelines per route - Composition is intentional
Plug.Conn.halt/1 without send - May be handled by fallback
Context-Sensitive Rules
| Issue | Flag ONLY IF |
|---|
| Missing changeset validation | Field accepts user input AND no validation exists |
| Controller too large |
More than 7 actions OR actions > 20 lines |
| Missing authorization | Route is not public AND no auth plug in pipeline |
Before Submitting Findings
Load and follow review-verification-protocol before reporting any issue.
Phoenix 代码审查
快速参考
references/controllers.md |
| 管道、作用域、已验证路由 |
references/routing.md |
| 自定义插头、身份验证 |
references/plugs.md |
审查清单
控制器
- - [ ] 业务逻辑在上下文中,而非控制器中
- [ ] 控制器返回正确的 HTTP 状态码
- [ ] 操作子句处理所有预期模式
- [ ] 回退控制器一致地处理错误
上下文
- - [ ] 上下文按领域划分,而非技术层
- [ ] 公共函数具有清晰、面向领域的名称
- [ ] 变更集验证所有用户输入
- [ ] 控制器中不包含 Ecto 查询
路由
- - [ ] 使用已验证路由(~p 符号),而非字符串路径
- [ ] 管道对相关插头进行分组
- [ ] 资源仅使用所需操作
- [ ] 作用域对相关路由进行分组
插头
- - [ ] 通过插头实现身份验证/授权
- [ ] 插头可组合且功能单一
- [ ] 在插头发送响应后调用 Halt
JSON API
- - [ ] 正确的内容协商
- [ ] 一致的错误响应格式
- [ ] 列表端点的分页
有效模式(请勿标记)
- - 控制器调用多个上下文 - 适用于编排场景
- 上下文中的内联 Ecto 查询 - 上下文拥有其数据访问权
- 使用 action_fallback - 集中式错误处理模式
- 每条路由多个管道 - 有意为之的组合
- Plug.Conn.halt/1 未配合 send - 可能由回退处理
上下文敏感规则
| 问题 | 仅当以下情况时标记 |
|---|
| 缺少变更集验证 | 字段接受用户输入且不存在验证 |
| 控制器过大 |
超过 7 个操作或操作超过 20 行 |
| 缺少授权 | 路由非公开且管道中无身份验证插头 |
提交发现前
在报告任何问题前,请加载并遵循 review-verification-protocol。
