Better AuthBA
Better Auth10mo ago
Vince

organization.update does not error on missing permissions

The role check seems to work because the updates are not actually committed but the response indicates success when it should instead error because of missing permissions.

const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})

will return 
{
  data: {
    {error: null, success: false}
  }, 
  error: null
}

which is expected and correct


const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})

will return
{data: null, error: null}
which is wrong. It should error instead.

It also takes the 
onSuccess
 path in the fetch options.
This makes it difficult to properly manage feedback to the user


This is a slimmed down version of my custom access control & roles: 
const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;


And this is a slimmed down version of the server config: 
const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});
Was this page helpful?