Better Auth•3w ago

Org Dynamic Access Control - updateOrgRole error

Issue: user with Owner role cant updateOrgRole For an org say Org1, I changed the role of an existing user2 from Member->Owner.
User2 (owner) can create new OrgRole with all the permissions, but cant update, when user2, tries to update an existing OrgRole, 1. the name update is working, 2. but the resource:Actions permisssions is throwing error

name = 'APIError'
status ='FORBIDDEN'
statusCode = 403
message= "You are not permitted to update a role with those set of permissions. Please get someone with high enough permissions to update this role."

name = 'APIError'
status ='FORBIDDEN'
statusCode = 403
message= "You are not permitted to update a role with those set of permissions. Please get someone with high enough permissions to update this role."

Here is what i tested,

  await authClient.organization.hasPermission({
    permissions: {
      organization: ["update", "delete"],
      member: ["create", "update", "delete"],
      invitation: ["create", "cancel"],
      team: ["create", "update", "delete"],
      ac: ["create", "read", "update", "delete"],
      project: ["create", "read", "update", "delete", "share"],
      billing: ["read", "update"],
    },
    organizationId: "6S...T0k7RT1W",
  });

  await authClient.organization.hasPermission({
    permissions: {
      organization: ["update", "delete"],
      member: ["create", "update", "delete"],
      invitation: ["create", "cancel"],
      team: ["create", "update", "delete"],
      ac: ["create", "read", "update", "delete"],
      project: ["create", "read", "update", "delete", "share"],
      billing: ["read", "update"],
    },
    organizationId: "6S...T0k7RT1W",
  });

which returned success, so user2 has permissions for all resource:actions.

{
    "data": {
        "error": null,
        "success": true
    },
    "error": null
}

{
    "data": {
        "error": null,
        "success": true
    },
    "error": null
}

but updating an orgRole, gave error.

      const result = await auth.api.updateOrgRole({
        headers,
        body: {
           roleName: "new132",
          data: {
            permission: {
              organization: ["update", "delete"],
              member: ["create", "update", "delete"],
              invitation: ["create", "cancel"],
              team: ["create", "update", "delete"],
              ac: ["create", "read", "update", "delete"],
              project: ["create", "read", "update"],
              billing: ["read", "update"],
            },,
          },
          organizationId: "6S...T0k7RT1W",
        },
      });

      const result = await auth.api.updateOrgRole({
        headers,
        body: {
           roleName: "new132",
          data: {
            permission: {
              organization: ["update", "delete"],
              member: ["create", "update", "delete"],
              invitation: ["create", "cancel"],
              team: ["create", "update", "delete"],
              ac: ["create", "read", "update", "delete"],
              project: ["create", "read", "update"],
              billing: ["read", "update"],
            },,
          },
          organizationId: "6S...T0k7RT1W",
        },
      });

Note: The same user can "create" a newRole with any resource:[Actions], but cant update certain actions.

Solution:

seems fixed in v1.3.10-beta.5 - i am on latest stable release - v1.3.9

Jump to solution

3 Replies

galightic primeOP•3w ago

Addition Data: Somehow better-auth is assuming the user as admin,

ERROR [Better Auth]: [Dynamic Access Control] The user is missing permissions nessesary to update a role with those set of permissions.
 {
  userId: 'UK5ZcPzxsfPooLUlGlOJLq4l9WaJAjGa',
  organizationId: '6SV05zMndBxT05BJfmnnSHwNY0k7RT1W',
  role: 'admin',
  missingPermissions: [ 'project:delete', 'billing:update', 'organization:delete' ]
}

ERROR [Better Auth]: [Dynamic Access Control] The user is missing permissions nessesary to update a role with those set of permissions.
 {
  userId: 'UK5ZcPzxsfPooLUlGlOJLq4l9WaJAjGa',
  organizationId: '6SV05zMndBxT05BJfmnnSHwNY0k7RT1W',
  role: 'admin',
  missingPermissions: [ 'project:delete', 'billing:update', 'organization:delete' ]
}

but in db, Members table clearly shows the role as "owner". [img attached] -------------------- in my permissions file, i have restricted admin for these 'project:delete', 'billing:update' and better-auth restricts 'organization:delete', thats ok if the user is admin, but user2 has "owner" role.

galightic primeOP•3w ago

Found the bug: in updateOrgRole, the member is fetched as,

      const member = await ctx.context.adapter.findOne<Member>({
        model: "member",
        where: [
          {
            field: "organizationId",
            value: organizationId,
            operator: "eq",
            connector: "AND",
          },
        ],
      });

      const member = await ctx.context.adapter.findOne<Member>({
        model: "member",
        where: [
          {
            field: "organizationId",
            value: organizationId,
            operator: "eq",
            connector: "AND",
          },
        ],
      });

where clause is missing user check. whereas in createOrgRole, its correct

      const member = await ctx.context.adapter.findOne<Member>({
        model: "member",
        where: [
          {
            field: "organizationId",
            value: organizationId,
            operator: "eq",
            connector: "AND",
          },
          {
            field: "userId",
            value: user.id,
            operator: "eq",
            connector: "AND",
          },
        ],
      });

      const member = await ctx.context.adapter.findOne<Member>({
        model: "member",
        where: [
          {
            field: "organizationId",
            value: organizationId,
            operator: "eq",
            connector: "AND",
          },
          {
            field: "userId",
            value: user.id,
            operator: "eq",
            connector: "AND",
          },
        ],
      });

i have an user(user3) with role as admin, it seems findOne finds that user. Changing user3 to role "Owner" doesnt throw error. so, yeah the get member where clause is the issue. its missing userid check

Solution

galightic prime•3w ago

seems fixed in v1.3.10-beta.5 - i am on latest stable release - v1.3.9

Gaming

Programming

Org Dynamic Access Control - updateOrgRole error

Did you find this page helpful?