Role value in userHasPermission function
Hi guy, I'm new to using Better Auth and working on a simple role-based access feature. I have a small question regarding the value of role in the userHasPermission function.
As image, I have a user with the role
cameraHdManagerRole. But when I use the userHasPermission function and pass in a different role value that does not match user's role, the result still return success:true.
Why does it return true even though the role does not match that user?
8 Replies
Anyone help?
It doesn't check against the role inputted but the user's role stored in the DB it seems
GitHub
better-auth/packages/better-auth/src/plugins/admin/admin.ts at 3628...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
Probably a bug
Yes, i have already read that code. But I'm not sure if this is a bug or not.
Just feels quite strange to me, when I pass in a role value (even a random string), the result still returns true.
@Max can you confirm if this is a bug?
After review code again. i think the condition check here should be re-ordered.
This isn't a bug, it's because you're passing userId. If you just wanna check if the role has a permission remove the userId
If userId is removed, how would userHasPermission know which user I want to check?
Because in this case, i dont pass any value of headers, so session.user will be null.
I think there should be additional step to check the role value of body of the userHasPermission against session.user.role (or ctx.context.internalAdapter.findUserById if passed userId).
If you don’t check it but the result still returns true (because role will get from session.user.role or userId) as long as the permission is valid. It’s bit confusing.