github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #7727] when we update a role name in the dynamic role the member table is not updated #10887

New Issue
Open
opened 2026-04-13 07:15:50 -05:00 by GiteaMirror · 16 comments
GiteaMirror commented 2026-04-13 07:15:50 -05:00
Owner
Copy Link

Originally created by @pranavgoel29 on GitHub (Jan 31, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/7727

Originally assigned to: @ping-maxwell on GitHub.

I’m using dynamic-access-control.

It sets up an org role table and uses these roles in the member table’s role column. However, here’s the problem: we’re adding the role name here, not the ID. As a result, if we change the role name, it doesn’t get updated here, which creates a gap between the roles and members. The update role method doesn’t update the role in the member table.

Originally created by @pranavgoel29 on GitHub (Jan 31, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/7727 Originally assigned to: @ping-maxwell on GitHub. I’m using dynamic-access-control. It sets up an org role table and uses these roles in the member table’s role column. However, here’s the problem: we’re adding the role name here, not the ID. As a result, if we change the role name, it doesn’t get updated here, which creates a gap between the roles and members. The update role method doesn’t update the role in the member table.
GiteaMirror added the bugorganization labels 2026-04-13 07:15:50 -05:00
GiteaMirror commented 2026-04-13 07:15:51 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Jan 31, 2026):

It looks like there may be a bug when updating role names in the dynamic role that isn't reflecting changes in the member table. Here are some steps to troubleshoot this issue:

  1. Check the Database: Ensure that the changes made to role names are correctly reflected in the database.
  2. Review the Code: Look into the functions responsible for updating roles to confirm they are correctly updating member associations.
  3. Enable Dynamic Access Control: Make sure dynamic access control is enabled in your configuration as it might affect how role updates are processed.
  4. Reporting: If the issue persists, consider creating a detailed bug report explaining the steps to reproduce this issue.

If you have specific logs or details to share, it could help diagnose the problem further. Meanwhile, if you still need assistance, feel free to tag @better-auth-agent.

What other questions do you have about Better Auth or dynamic roles?

If you need more help, tag @better-auth-agent in a comment so I can respond.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3828911011 --> @better-auth-agent[bot] commented on GitHub (Jan 31, 2026): It looks like there may be a bug when updating role names in the dynamic role that isn't reflecting changes in the member table. Here are some steps to troubleshoot this issue: 1. **Check the Database**: Ensure that the changes made to role names are correctly reflected in the database. 2. **Review the Code**: Look into the functions responsible for updating roles to confirm they are correctly updating member associations. 3. **Enable Dynamic Access Control**: Make sure dynamic access control is enabled in your configuration as it might affect how role updates are processed. 4. **Reporting**: If the issue persists, consider creating a detailed bug report explaining the steps to reproduce this issue. If you have specific logs or details to share, it could help diagnose the problem further. Meanwhile, if you still need assistance, feel free to tag @better-auth-agent. What other questions do you have about Better Auth or dynamic roles? _If you need more help, tag @better-auth-agent in a comment so I can respond._ <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-13 07:15:51 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 31, 2026):

This happens because the member table stores the role name as a plain string, not as a reference to the dynamic role entity. When you rename a dynamic role, there’s no built-in mechanism to update all member records with the new role name—so the member table keeps the old value. This is a known limitation and has been discussed in GitHub issues. To keep things in sync, you need to explicitly update the member table yourself (for example, with an extra UPDATE statement or custom logic in your adapter) whenever you rename a dynamic role. There’s no automatic propagation or trigger for this in Better Auth right now see details.

A recent PR (#7096) claims to address some issues with updating roles, but as of the latest discussions, there’s still no built-in config or hook to handle this automatically—you’ll need to patch the adapter, use a custom adapter, or add your own update logic reference.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3828918282 --> @dosubot[bot] commented on GitHub (Jan 31, 2026): <!-- Answer --> This happens because the member table stores the role name as a plain string, not as a reference to the dynamic role entity. When you rename a dynamic role, there’s no built-in mechanism to update all member records with the new role name—so the member table keeps the old value. This is a known limitation and has been discussed in GitHub issues. To keep things in sync, you need to explicitly update the member table yourself (for example, with an extra UPDATE statement or custom logic in your adapter) whenever you rename a dynamic role. There’s no automatic propagation or trigger for this in Better Auth right now [see details](https://github.com/better-auth/better-auth/issues/5860). A recent PR (#7096) claims to address some issues with updating roles, but as of the latest discussions, there’s still no built-in config or hook to handle this automatically—you’ll need to patch the adapter, use a custom adapter, or add your own update logic [reference](https://github.com/better-auth/better-auth/issues/5929). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/dcb3ada9-952e-491a-b62d-f4386a947670?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20happens%20because%20the%20member%20table%20stores%20the%20role%20name%20as%20a%20plain%20string%2C%20not%20as%20a%20reference%20to%20the%20dynamic%20role%20entity.%20When%20you%20rename%20a%20dynamic%20role%2C%20there%E2%80%99s%20no%20built-in%20mechanism%20to%20update%20all%20member%20records%20with%20the%20new%20role%20name%E2%80%94so%20the%20member%20table%20keeps%20the%20old%20value.%20This%20is%20a%20known%20limitation%20and%20has%20been%20discussed%20in%20GitHub%20issues.%20To%20keep%20things%20in%20sync%2C%20you%20need%20to%20explicitly%20update%20the%20member%20table%20yourself%20%28for%20example%2C%20with%20an%20extra%20UPDATE%20statement%20or%20custom%20logic%20in%20your%20adapter%29%20whenever%20you%20rename%20a%20dynamic%20role.%20There%E2%80%99s%20no%20automatic%20propagation%20or%20trigger%20for%20this%20in%20Better%20Auth%20right%20now%C2%A0%5Bsee%20details%5D%28https%3A//github.com/better-auth/better-auth/issues/5860%29.%0A%0AA%20recent%20PR%20%28%237096%29%20claims%20to%20address%20some%20issues%20with%20updating%20roles%2C%20but%20as%20of%20the%20latest%20discussions%2C%20there%E2%80%99s%20still%20no%20built-in%20config%20or%20hook%20to%20handle%20this%20automatically%E2%80%94you%E2%80%99ll%20need%20to%20patch%20the%20adapter%2C%20use%20a%20custom%20adapter%2C%20or%20add%20your%20own%20update%20logic%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/issues/5929%29.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7727)
GiteaMirror commented 2026-04-13 07:15:52 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

@dosubot I am using drizzle here not prisma and this pr #7096 does not resolve my issue.
Is there a way to maybe add a hook to trigger after update role can we do it? And why not just use the role id here?

<!-- gh-comment-id:3828926972 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): @dosubot I am using drizzle here not prisma and this pr #7096 does not resolve my issue. Is there a way to maybe add a hook to trigger after update role can we do it? And why not just use the role id here?
GiteaMirror commented 2026-04-13 07:15:52 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 31, 2026):

Yes, you can add an "after update" hook for the role model in Better Auth, and it works with Drizzle as well as Prisma. Just use the databaseHooks config in your Better Auth setup. This hook will trigger after a role is updated (including after a transaction commits), so you can run custom logic—like updating all member records that reference the old role name.

Here's a simplified example:

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "@/db"; // your drizzle instance

export const auth = betterAuth({
  database: drizzleAdapter(db, { provider: "pg" }),
  databaseHooks: {
    organizationRole: {
      update: {
        async after(updatedRole, context) {
          // Update all members with the old role name to the new one
          await db.update(memberTable)
            .set({ role: updatedRole.name })
            .where(eq(memberTable.role, context.previous.name));
        }
      }
    }
  }
});

Make sure to adjust the model/table names to match your schema. The hook receives the updated role and context (which may include the previous value, depending on your version). All "after" hooks run after the transaction commits, so it's safe to update related tables like member at this point reference reference.

If you need to handle more complex scenarios or want to debug, you can log the arguments inside your hook to see what's available.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3828932940 --> @dosubot[bot] commented on GitHub (Jan 31, 2026): <!-- Answer --> Yes, you can add an "after update" hook for the role model in Better Auth, and it works with Drizzle as well as Prisma. Just use the databaseHooks config in your Better Auth setup. This hook will trigger after a role is updated (including after a transaction commits), so you can run custom logic—like updating all member records that reference the old role name. Here's a simplified example: ```ts import { betterAuth } from "better-auth"; import { drizzleAdapter } from "better-auth/adapters/drizzle"; import { db } from "@/db"; // your drizzle instance export const auth = betterAuth({ database: drizzleAdapter(db, { provider: "pg" }), databaseHooks: { organizationRole: { update: { async after(updatedRole, context) { // Update all members with the old role name to the new one await db.update(memberTable) .set({ role: updatedRole.name }) .where(eq(memberTable.role, context.previous.name)); } } } } }); ``` Make sure to adjust the model/table names to match your schema. The hook receives the updated role and context (which may include the previous value, depending on your version). All "after" hooks run after the transaction commits, so it's safe to update related tables like member at this point [reference](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/db/with-hooks.ts#L9-L310) [reference](https://github.com/better-auth/better-auth/pull/7345). If you need to handle more complex scenarios or want to debug, you can log the arguments inside your hook to see what's available. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5476c9e3-3c54-4c25-9ca1-172281efae9c?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=Yes%2C%20you%20can%20add%20an%20%22after%20update%22%20hook%20for%20the%20role%20model%20in%20Better%20Auth%2C%20and%20it%20works%20with%20Drizzle%20as%20well%20as%20Prisma.%20Just%20use%20the%20databaseHooks%20config%20in%20your%20Better%20Auth%20setup.%20This%20hook%20will%20trigger%20after%20a%20role%20is%20updated%20%28including%20after%20a%20transaction%20commits%29%2C%20so%20you%20can%20run%20custom%20logic%E2%80%94like%20updating%20all%20member%20records%20that%20reference%20the%20old%20role%20name.%0A%0AHere%27s%20a%20simplified%20example%3A%0A%0A%60%60%60ts%0Aimport%20%7B%20betterAuth%20%7D%20from%20%22better-auth%22%3B%0Aimport%20%7B%20drizzleAdapter%20%7D%20from%20%22better-auth/adapters/drizzle%22%3B%0Aimport%20%7B%20db%20%7D%20from%20%22%40/db%22%3B%20//%20your%20drizzle%20instance%0A%0Aexport%20const%20auth%20%3D%20betterAuth%28%7B%0A%20%20database%3A%20drizzleAdapter%28db%2C%20%7B%20provider%3A%20%22pg%22%20%7D%29%2C%0A%20%20databaseHooks%3A%20%7B%0A%20%20%20%20organizationRole%3A%20%7B%0A%20%20%20%20%20%20update%3A%20%7B%0A%20%20%20%20%20%20%20%20async%20after%28updatedRole%2C%20context%29%20%7B%0A%20%20%20%20%20%20%20%20%20%20//%20Update%20all%20members%20with%20the%20old%20role%20name%20to%20the%20new%20one%0A%20%20%20%20%20%20%20%20%20%20await%20db.update%28memberTable%29%0A%20%20%20%20%20%20%20%20%20%20%20%20.set%28%7B%20role%3A%20updatedRole.name%20%7D%29%0A%20%20%20%20%20%20%20%20%20%20%20%20.where%28eq%28memberTable.role%2C%20context.previous.name%29%29%3B%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%0A%20%20%7D%0A%7D%29%3B%0A%60%60%60%0A%0AMake%20sure%20to%20adjust%20the%20model/table%20names%20to%20match%20your%20schema.%20The%20hook%20receives%20the%20updated%20role%20and%20context%20%28which%20may%20include%20the%20previous%20value%2C%20depending%20on%20your%20version%29.%20All%20%22after%22%20hooks%20run%20after%20the%20transaction%20commits%2C%20so%20it%27s%20safe%20to%20update%20related%20tables%20like%20member%20at%20this%20point%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/db/with-hooks.ts%23L9-L310%29%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/pull/7345%29.%0A%0AIf%20you%20need%20to%20handle%20more%20complex%20scenarios%20or%20want%20to%20debug%2C%20you%20can%20log%20the%20arguments%20inside%20your%20hook%20to%20see%20what%27s%20available.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7727)
GiteaMirror commented 2026-04-13 07:15:53 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

@dosubot There's not hook like organizationRole in databaseHooks.

<!-- gh-comment-id:3828939478 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): @dosubot There's not hook like organizationRole in databaseHooks.
GiteaMirror commented 2026-04-13 07:15:53 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

@Bekacru can we do something here is there a option to use the roleId instead of the roleName in members table?

<!-- gh-comment-id:3828957725 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): @Bekacru can we do something here is there a option to use the roleId instead of the roleName in members table?
GiteaMirror commented 2026-04-13 07:15:54 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 31, 2026):

You're right—there isn't an organizationRole hook in databaseHooks. Only the core models (user, session, account, verification) are supported for hooks in Better Auth, and plugin tables like organizationRole aren't exposed to the hook system by default reference reference.

There also aren't any organizationRole or role update hooks in the organization plugin's organizationHooks config—those hooks only cover org/member/invitation lifecycle events reference.

So, to keep member roles in sync after a role rename, you'll need to handle it manually in your application code or adapter. For Drizzle, that means running an explicit update on the member table after you change a role name. For example:

await db.update(memberTable)
  .set({ role: newRoleName })
  .where(eq(memberTable.role, oldRoleName));

If you want to avoid this problem in the future, consider storing the role ID in the member table instead of the name, but that would require a schema change.

Let me know if you want a more detailed example for Drizzle or have questions about custom adapter logic.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3828966107 --> @dosubot[bot] commented on GitHub (Jan 31, 2026): <!-- Answer --> You're right—there isn't an organizationRole hook in databaseHooks. Only the core models (user, session, account, verification) are supported for hooks in Better Auth, and plugin tables like organizationRole aren't exposed to the hook system by default [reference](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/core/src/types/init-options.ts#L1099-L1387) [reference](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/db/with-hooks.ts#L6-L121). There also aren't any organizationRole or role update hooks in the organization plugin's organizationHooks config—those hooks only cover org/member/invitation lifecycle events [reference](https://github.com/better-auth/better-auth/pull/4049). So, to keep member roles in sync after a role rename, you'll need to handle it manually in your application code or adapter. For Drizzle, that means running an explicit update on the member table after you change a role name. For example: ```ts await db.update(memberTable) .set({ role: newRoleName }) .where(eq(memberTable.role, oldRoleName)); ``` If you want to avoid this problem in the future, consider storing the role ID in the member table instead of the name, but that would require a schema change. Let me know if you want a more detailed example for Drizzle or have questions about custom adapter logic. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/6b353188-0020-4602-a57a-bf40f0507b6c?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=You%27re%20right%E2%80%94there%20isn%27t%20an%20organizationRole%20hook%20in%20databaseHooks.%20Only%20the%20core%20models%20%28user%2C%20session%2C%20account%2C%20verification%29%20are%20supported%20for%20hooks%20in%20Better%20Auth%2C%20and%20plugin%20tables%20like%20organizationRole%20aren%27t%20exposed%20to%20the%20hook%20system%20by%20default%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/core/src/types/init-options.ts%23L1099-L1387%29%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/db/with-hooks.ts%23L6-L121%29.%0A%0AThere%20also%20aren%27t%20any%20organizationRole%20or%20role%20update%20hooks%20in%20the%20organization%20plugin%27s%20organizationHooks%20config%E2%80%94those%20hooks%20only%20cover%20org/member/invitation%20lifecycle%20events%C2%A0%5Breference%5D%28https%3A//github.com/better-auth/better-auth/pull/4049%29.%0A%0ASo%2C%20to%20keep%20member%20roles%20in%20sync%20after%20a%20role%20rename%2C%20you%27ll%20need%20to%20handle%20it%20manually%20in%20your%20application%20code%20or%20adapter.%20For%20Drizzle%2C%20that%20means%20running%20an%20explicit%20update%20on%20the%20member%20table%20after%20you%20change%20a%20role%20name.%20For%20example%3A%0A%0A%60%60%60ts%0Aawait%20db.update%28memberTable%29%0A%20%20.set%28%7B%20role%3A%20newRoleName%20%7D%29%0A%20%20.where%28eq%28memberTable.role%2C%20oldRoleName%29%29%3B%0A%60%60%60%0A%0AIf%20you%20want%20to%20avoid%20this%20problem%20in%20the%20future%2C%20consider%20storing%20the%20role%20ID%20in%20the%20member%20table%20instead%20of%20the%20name%2C%20but%20that%20would%20require%20a%20schema%20change.%0A%0ALet%20me%20know%20if%20you%20want%20a%20more%20detailed%20example%20for%20Drizzle%20or%20have%20questions%20about%20custom%20adapter%20logic.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7727)
GiteaMirror commented 2026-04-13 07:15:54 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

@dosubot we can do this definitely 'If you want to avoid this problem in the future, consider storing the role ID in the member table instead of the name, but that would require a schema change.' however I am afraid it will break the internal org plugin methods like update member role and all. Isn't there a way to say that we are using the roleid in member table instead of role name

<!-- gh-comment-id:3828975853 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): @dosubot we can do this definitely 'If you want to avoid this problem in the future, consider storing the role ID in the member table instead of the name, but that would require a schema change.' however I am afraid it will break the internal org plugin methods like update member role and all. Isn't there a way to say that we are using the roleid in member table instead of role name
GiteaMirror commented 2026-04-13 07:15:55 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 31, 2026):

There isn't a supported way to configure Better Auth to use roleId in the member table instead of the role name. All internal organization plugin logic—like updateMemberRole, permission checks, and hooks—expects the member's role field to be a string containing the role name, not an ID. The schema, adapter, and permission system are tightly coupled to this convention, and there are no configuration options or extension points to switch to roleId. Changing the member table to use roleId would break internal methods and require deep, unsupported changes across the plugin and your codebase (schema.ts, crud-members.ts, adapter.ts).

The safest approach is to keep using role names and add explicit synchronization logic when you rename a role. If you want to use role IDs, you'd need to fork and rewrite the plugin, which is not recommended due to maintainability and upgrade issues.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3828982900 --> @dosubot[bot] commented on GitHub (Jan 31, 2026): <!-- Answer --> There isn't a supported way to configure Better Auth to use roleId in the member table instead of the role name. All internal organization plugin logic—like updateMemberRole, permission checks, and hooks—expects the member's role field to be a string containing the role name, not an ID. The schema, adapter, and permission system are tightly coupled to this convention, and there are no configuration options or extension points to switch to roleId. Changing the member table to use roleId would break internal methods and require deep, unsupported changes across the plugin and your codebase ([schema.ts](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/schema.ts#L26-L152), [crud-members.ts](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/routes/crud-members.ts#L26-L695), [adapter.ts](https://github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/adapter.ts#L24-L1056)). The safest approach is to keep using role names and add explicit synchronization logic when you rename a role. If you want to use role IDs, you'd need to fork and rewrite the plugin, which is not recommended due to maintainability and upgrade issues. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/145a7cb5-8940-41fb-a363-f72edd7ec5df?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=There%20isn%27t%20a%20supported%20way%20to%20configure%20Better%20Auth%20to%20use%20roleId%20in%20the%20member%20table%20instead%20of%20the%20role%20name.%20All%20internal%20organization%20plugin%20logic%E2%80%94like%20updateMemberRole%2C%20permission%20checks%2C%20and%20hooks%E2%80%94expects%20the%20member%27s%20role%20field%20to%20be%20a%20string%20containing%20the%20role%20name%2C%20not%20an%20ID.%20The%20schema%2C%20adapter%2C%20and%20permission%20system%20are%20tightly%20coupled%20to%20this%20convention%2C%20and%20there%20are%20no%20configuration%20options%20or%20extension%20points%20to%20switch%20to%20roleId.%20Changing%20the%20member%20table%20to%20use%20roleId%20would%20break%20internal%20methods%20and%20require%20deep%2C%20unsupported%20changes%20across%20the%20plugin%20and%20your%20codebase%C2%A0%28%5Bschema.ts%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/schema.ts%23L26-L152%29%2C%20%5Bcrud-members.ts%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/routes/crud-members.ts%23L26-L695%29%2C%20%5Badapter.ts%5D%28https%3A//github.com/better-auth/better-auth/blob/583f12fb7db38681ee882d219ce3895faa4a6976/packages/better-auth/src/plugins/organization/adapter.ts%23L24-L1056%29%29.%0A%0AThe%20safest%20approach%20is%20to%20keep%20using%20role%20names%20and%20add%20explicit%20synchronization%20logic%20when%20you%20rename%20a%20role.%20If%20you%20want%20to%20use%20role%20IDs%2C%20you%27d%20need%20to%20fork%20and%20rewrite%20the%20plugin%2C%20which%20is%20not%20recommended%20due%20to%20maintainability%20and%20upgrade%20issues.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7727)
GiteaMirror commented 2026-04-13 07:15:55 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

@dosu but the way we do things right now with names adds a huge probability of data drifting.

<!-- gh-comment-id:3829006645 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): @dosu but the way we do things right now with names adds a huge probability of data drifting.
GiteaMirror commented 2026-04-13 07:15:56 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Jan 31, 2026):

You're absolutely right—using role names as references in the member table does create a real risk of data drift, especially when roles are renamed or deleted. This is a known limitation of the current Better Auth organization plugin design: the schema, adapter, and permission logic are all tightly coupled to role names, and there’s no built-in way to switch to using role IDs or to automatically sync member records when a role name changes (source, source).

The only way to keep things consistent right now is to run explicit synchronization scripts or migrations whenever you rename a role—basically, update all affected member records in your database after every role name change. Some teams build admin tools or migration helpers for this, or even add monitoring to detect drift between the member and role tables.

If you want, I can help you draft a Drizzle migration or script to automate this process. Let me know if you want an example or want to discuss operational strategies for minimizing drift.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other

Chat with Dosu Open in Cursor Join Discord Share on X

<!-- gh-comment-id:3829017403 --> @dosubot[bot] commented on GitHub (Jan 31, 2026): <!-- Answer --> You're absolutely right—using role names as references in the member table does create a real risk of data drift, especially when roles are renamed or deleted. This is a known limitation of the current Better Auth organization plugin design: the schema, adapter, and permission logic are all tightly coupled to role names, and there’s no built-in way to switch to using role IDs or to automatically sync member records when a role name changes ([source](https://github.com/better-auth/better-auth/issues/5860), [source](https://github.com/better-auth/better-auth/issues/5929)). The only way to keep things consistent right now is to run explicit synchronization scripts or migrations whenever you rename a role—basically, update all affected member records in your database after every role name change. Some teams build admin tools or migration helpers for this, or even add monitoring to detect drift between the member and role tables. If you want, I can help you draft a Drizzle migration or script to automate this process. Let me know if you want an example or want to discuss operational strategies for minimizing drift. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/02706a56-b9e8-4095-af78-44caaad5b88a?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=You%27re%20absolutely%20right%E2%80%94using%20role%20names%20as%20references%20in%20the%20member%20table%20does%20create%20a%20real%20risk%20of%20data%20drift%2C%20especially%20when%20roles%20are%20renamed%20or%20deleted.%20This%20is%20a%20known%20limitation%20of%20the%20current%20Better%20Auth%20organization%20plugin%20design%3A%20the%20schema%2C%20adapter%2C%20and%20permission%20logic%20are%20all%20tightly%20coupled%20to%20role%20names%2C%20and%20there%E2%80%99s%20no%20built-in%20way%20to%20switch%20to%20using%20role%20IDs%20or%20to%20automatically%20sync%20member%20records%20when%20a%20role%20name%20changes%C2%A0%28%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/issues/5860%29%2C%20%5Bsource%5D%28https%3A//github.com/better-auth/better-auth/issues/5929%29%29.%0A%0AThe%20only%20way%20to%20keep%20things%20consistent%20right%20now%20is%20to%20run%20explicit%20synchronization%20scripts%20or%20migrations%20whenever%20you%20rename%20a%20role%E2%80%94basically%2C%20update%20all%20affected%20member%20records%20in%20your%20database%20after%20every%20role%20name%20change.%20Some%20teams%20build%20admin%20tools%20or%20migration%20helpers%20for%20this%2C%20or%20even%20add%20monitoring%20to%20detect%20drift%20between%20the%20member%20and%20role%20tables.%0A%0AIf%20you%20want%2C%20I%20can%20help%20you%20draft%20a%20Drizzle%20migration%20or%20script%20to%20automate%20this%20process.%20Let%20me%20know%20if%20you%20want%20an%20example%20or%20want%20to%20discuss%20operational%20strategies%20for%20minimizing%20drift.)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/7727)
GiteaMirror commented 2026-04-13 07:15:57 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Jan 31, 2026):

Hi @pranavgoel29, let me check 🧐

<!-- gh-comment-id:3829040654 --> @bytaesu commented on GitHub (Jan 31, 2026): Hi @pranavgoel29, let me check 🧐
GiteaMirror commented 2026-04-13 07:15:58 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Jan 31, 2026):

Thanks @bytaesu !

I’ve noticed another issue with how roles are currently working with dynamicAccessControl. It seems like we can’t stop the deletion of a role even if it’s already assigned to a user. Wouldn’t it be better if we could prevent this deletion when a role is assigned to someone, or at least give us the option to enable it? Maybe something like allowAssignedRoleDeletion: false. For sure I can add a check in the backend before I delete a role or update it, however if someone is using the client methods it would be tricky. 🤔

Of course, these problems would disappear if we could move away from using role names and add a foreign key (FK) to roleId.

<!-- gh-comment-id:3829065189 --> @pranavgoel29 commented on GitHub (Jan 31, 2026): Thanks @bytaesu ! I’ve noticed another issue with how roles are currently working with `dynamicAccessControl`. It seems like we can’t stop the deletion of a role even if it’s already assigned to a user. Wouldn’t it be better if we could prevent this deletion when a role is assigned to someone, or at least give us the option to enable it? Maybe something like `allowAssignedRoleDeletion: false`. For sure I can add a check in the backend before I delete a role or update it, however if someone is using the client methods it would be tricky. 🤔 Of course, these problems would disappear if we could move away from using role names and add a foreign key (FK) to roleId.
GiteaMirror commented 2026-04-13 07:15:58 -05:00
Author
Owner
Copy Link

@bytaesu commented on GitHub (Feb 1, 2026):

Hi @pranavgoel29,

I’m fixing the issues you mentioned!

We’re currently rewriting the organization plugin, so if there’s anything you’d like to see included, feel free to open an issue or let us know. We’re reviewing everything as part of the rewrite 🫡

<!-- gh-comment-id:3829780436 --> @bytaesu commented on GitHub (Feb 1, 2026): Hi @pranavgoel29, I’m fixing the issues you mentioned! We’re currently rewriting the organization plugin, so if there’s anything you’d like to see included, feel free to open an issue or let us know. We’re reviewing everything as part of the rewrite 🫡
GiteaMirror commented 2026-04-13 07:15:59 -05:00
Author
Owner
Copy Link

@pranavgoel29 commented on GitHub (Feb 3, 2026):

Hi @bytaesu any idea when these changes would be released and become available to use?

<!-- gh-comment-id:3840064263 --> @pranavgoel29 commented on GitHub (Feb 3, 2026): Hi @bytaesu any idea when these changes would be released and become available to use?
GiteaMirror commented 2026-04-13 07:16:00 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Apr 9, 2026):

this will be part of https://github.com/better-auth/better-auth/pull/7886

<!-- gh-comment-id:4217244460 --> @ping-maxwell commented on GitHub (Apr 9, 2026): this will be part of https://github.com/better-auth/better-auth/pull/7886
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label bug organization
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#10887
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?