2 replies

organization.update does not error on missing permissions

The role check seems to work because the updates are not actually committed but the response indicates success when it should instead error because of missing permissions.

const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})

const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})

will return

{
  data: {
    {error: null, success: false}
  }, 
  error: null
}

{
  data: {
    {error: null, success: false}
  }, 
  error: null
}

which is expected and correct

const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})

const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})

will return

{data: null, error: null}

{data: null, error: null}

which is wrong. It should error instead.

It also takes the

onSuccess

onSuccess

path in the fetch options.
This makes it difficult to properly manage feedback to the user

This is a slimmed down version of my custom access control & roles:

const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;

const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;

And this is a slimmed down version of the server config:

const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});

const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});

organization.update does not error on missing permissions

The role check seems to work because the updates are not actually committed but the response indicates success when it should instead error because of missing permissions.

const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})

const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})

will return

{
  data: {
    {error: null, success: false}
  }, 
  error: null
}

{
  data: {
    {error: null, success: false}
  }, 
  error: null
}

which is expected and correct

const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})

const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})

will return

{data: null, error: null}

{data: null, error: null}

which is wrong. It should error instead.

It also takes the

onSuccess

onSuccess

path in the fetch options.
This makes it difficult to properly manage feedback to the user

This is a slimmed down version of my custom access control & roles:

const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;

const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;

And this is a slimmed down version of the server config:

const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});

const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});

organization.update does not error on missing permissions

Similar Threads

organization.update does not error on missing permissions

Similar Threads

Similar Threads

Similar Threads