BA
Better Auth4w ago
Vince

organization.update does not error on missing permissions

The role check seems to work because the updates are not actually committed but the response indicates success when it should instead error because of missing permissions. 
const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})
const permissionResult = await authClient.organization.hasPermission({
  permission: {
    organization: ["update"]
  }
})
will return 
{
  data: {
    {error: null, success: false}
  }, 
  error: null
}
{
  data: {
    {error: null, success: false}
  }, 
  error: null
}
which is expected and correct 
const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})
const updateResult = await authClient.organization.update({
  data: {
    name: "new org name"
  }
})
will return {data: null, error: null} which is wrong. It should error instead. It also takes the onSuccess path in the fetch options. This makes it difficult to properly manage feedback to the user This is a slimmed down version of my custom access control & roles: 
const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;
const statement = {
    ...defaultStatements,
    project: ["create", "update", "delete"],
} as const;

export const ac = createAccessControl(statement);

export const authRoles = {
    estimator: ac.newRole({
        ...memberAc.statements,
        project: ["update"],
    }),
    managingDirector: ac.newRole({
        ...adminAc.statements,
        organization: ["update"]
    })
} as const;
And this is a slimmed down version of the server config: 
const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});
const orgPluginConfig = organization({
    allowUserToCreateOrganization: false,
    organizationLimit: 1,
    creatorRole: authRoleNames.managingDirector,
    ac: ac,
    roles: authRoles,
});
1 Reply
Vince
VinceOP4w ago
fixed by this commit. @bekacru I wrote tests for this behavior since I was about to open a PR with the exact same changes you did. Do you want me to commit them or are you fine with this not being tested specifically? Edit: Here is the PR for the tests: https://github.com/better-auth/better-auth/pull/1748
GitHub
Add tests for organization updates and member lookup by vniehues · ...
Adds tests for this commit: e99931f

Did you find this page helpful?