BA
Better Auth•2mo ago
Jacob

Organization inviteMember - Not Allowed to Invite

I keep getting a 403 - "YOU_ARE_NOT_ALLOWED_TO_INVITE_USERS_TO_THIS_ORGANIZATION" This is a client component. User fills in the form to invite 
      const activeMember = await authClient.organization.getActiveMember();
      console.log("activeMember", activeMember);

      if (
        !activeMember.data?.role ||
        !["owner", "admin"].includes(activeMember.data.role)
      ) {
        toast.error("You don't have permission to invite members");
        return;
      }

      const hasPermission = await authClient.organization.hasPermission({
        permission: { member: ["invite"] },
      });
      console.log("hasPermission", hasPermission);

      if (!hasPermission.data) {
        toast.error("You don't have permission to invite members");
        return;
      }

      const response = await authClient.organization.inviteMember({
        email: emailInput.value,
        role: roleSelect.value as "admin" | "member",
        organizationId
      });
      const activeMember = await authClient.organization.getActiveMember();
      console.log("activeMember", activeMember);

      if (
        !activeMember.data?.role ||
        !["owner", "admin"].includes(activeMember.data.role)
      ) {
        toast.error("You don't have permission to invite members");
        return;
      }

      const hasPermission = await authClient.organization.hasPermission({
        permission: { member: ["invite"] },
      });
      console.log("hasPermission", hasPermission);

      if (!hasPermission.data) {
        toast.error("You don't have permission to invite members");
        return;
      }

      const response = await authClient.organization.inviteMember({
        email: emailInput.value,
        role: roleSelect.value as "admin" | "member",
        organizationId
      });
My permissions file: 
const statement = {
  organization: ["view", "update", "delete", "manage_billing"],
  app: ["view", "connect", "disconnect", "configure"],
  member: [
    "invite",
    "remove",
    "update_role",
    "manage_app_permissions",
    "manage_licenses",
  ],
} as const;

const ac = createAccessControl(statement);

// Organization owner - has full access to everything
const owner = ac.newRole({
  organization: ["view", "update", "delete", "manage_billing"],
  app: ["view", "connect", "disconnect", "configure"],
  member: [
    "invite",
    "remove",
    "update_role",
    "manage_app_permissions",
    "manage_licenses",
  ],
});
const statement = {
  organization: ["view", "update", "delete", "manage_billing"],
  app: ["view", "connect", "disconnect", "configure"],
  member: [
    "invite",
    "remove",
    "update_role",
    "manage_app_permissions",
    "manage_licenses",
  ],
} as const;

const ac = createAccessControl(statement);

// Organization owner - has full access to everything
const owner = ac.newRole({
  organization: ["view", "update", "delete", "manage_billing"],
  app: ["view", "connect", "disconnect", "configure"],
  member: [
    "invite",
    "remove",
    "update_role",
    "manage_app_permissions",
    "manage_licenses",
  ],
});
Not sure whats up. Checked user role and permissions and its good. activeMember reads out: 
activeMember:  {
  id: '123',
  organizationId: '123',
  userId: '123',
  role: 'owner',
  createdAt: 2025-03-20T03:43:43.728Z,
  user: {
    id: '123',
    name: 'scrubbed',
    email: 'scrubbed',
    image: 'scrubbed'
  }
}
activeMember:  {
  id: '123',
  organizationId: '123',
  userId: '123',
  role: 'owner',
  createdAt: 2025-03-20T03:43:43.728Z,
  user: {
    id: '123',
    name: 'scrubbed',
    email: 'scrubbed',
    image: 'scrubbed'
  }
}
Solution:
Ok the solution is that you have to very carefully read the docs and not vibe code, lol. You have to use the default statements or the invitations feature will not work. So for example: ``` const statement = { ...defaultStatements,...
Jump to solution
1 Reply
Solution
Jacob
Jacob•2mo ago
Ok the solution is that you have to very carefully read the docs and not vibe code, lol. You have to use the default statements or the invitations feature will not work. So for example: 
const statement = {
  ...defaultStatements,
  billing: ["manage_billing"],
  license: ["manage_licenses"],
  app: [
    "view",
    "connect_integration",
    "disconnect_integration",
    "configure",
    "manage_app_permissions",
  ],
} as const;

const ac = createAccessControl(statement);

// Organization owner - has full access to everything
const owner = ac.newRole({
  billing: ["manage_billing"],
  license: ["manage_licenses"],
  app: [
    "view",
    "connect_integration",
    "disconnect_integration",
    "configure",
    "manage_app_permissions",
  ],
  ...adminAc.statements,
});
const statement = {
  ...defaultStatements,
  billing: ["manage_billing"],
  license: ["manage_licenses"],
  app: [
    "view",
    "connect_integration",
    "disconnect_integration",
    "configure",
    "manage_app_permissions",
  ],
} as const;

const ac = createAccessControl(statement);

// Organization owner - has full access to everything
const owner = ac.newRole({
  billing: ["manage_billing"],
  license: ["manage_licenses"],
  app: [
    "view",
    "connect_integration",
    "disconnect_integration",
    "configure",
    "manage_app_permissions",
  ],
  ...adminAc.statements,
});
I didn't read the "invitation" create/cancel and because I didn't inherit the defaults my owner of the organization didn't have those abilities. What was throwing me off is that I was able to update my organizations name even though I did this silly override so that means that even if you screw up you can still as owner update the org. Lesson learned is to actually use the docs examples. 😄

Did you find this page helpful?