[GH-ISSUE #1595] Cannot update and delete an organization as user admin (super admin) if we're not a member of this organization #17465

New Issue

GiteaMirror · 2026-04-15T15:36:38-05:00

GiteaMirror commented

2026-04-15 15:36:38 -05:00

Originally created by @lauthieb on GitHub (Feb 28, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/1595

Originally assigned to: @ping-maxwell on GitHub.

Is this suited for github?

Yes, this is suited for github

Hello,

Is it possible to delete an organization when a user has the "admin" role?
Because today, when I try to delete an organization from an admin user, I have an 403 error that says the user is not a member of this organization (but that's normal, it's an admin).

Thanks in advance for your help!

Describe the solution you'd like

When I do this:

await authClient.organization.delete({
    organizationId: id,
});

and the authenticated user has the role "admin" (but not admin of the organization, admin of the app, like super admin user), he should be able to delete an organization and not receive a 403 error saying "You're not a member of this organization"

Same for updating an organization :)

Describe alternatives you've considered

I didn't consider any alternative, that's more a question.

Additional context

No response

Originally created by @lauthieb on GitHub (Feb 28, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/1595 Originally assigned to: @ping-maxwell on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. Hello, Is it possible to delete an organization when a user has the "admin" role? Because today, when I try to delete an organization from an admin user, I have an 403 error that says the user is not a member of this organization (but that's normal, it's an admin). Thanks in advance for your help! ### Describe the solution you'd like When I do this: ```tsx await authClient.organization.delete({ organizationId: id, }); ``` and the authenticated user has the role "admin" (but not admin of the organization, admin of the app, like super admin user), he should be able to delete an organization and not receive a 403 error saying "You're not a member of this organization" _Same for updating an organization :)_ ### Describe alternatives you've considered I didn't consider any alternative, that's more a question. ### Additional context _No response_

GiteaMirror added the bug organization labels 2026-04-15 15:36:38 -05:00

GiteaMirror commented

2026-04-15 15:36:40 -05:00

@stephanmantler commented on GitHub (Apr 20, 2025):

I ended up making a separate "org-admin" plugin to handle a similar use case (needed to merge companies and delete the redundant entry), and I more or less duplicated the implementation from the /organization/delete endpoint.

If you go this route, be sure to also clean up the Member and Invitation tables - while the schema does specify foreign key constraints to Organization, at least in my PostgreSQL database it is ON DELETE NO ACTION so relevant entries need to be removed from those tables, to avoid dangling references to organizations that don't exist any more.

@stephanmantler commented on GitHub (Apr 20, 2025): I ended up making a separate "org-admin" plugin to handle a similar use case (needed to _merge_ companies and delete the redundant entry), and I more or less duplicated the implementation from the [/organization/delete endpoint](https://github.com/better-auth/better-auth/blob/89cee73335ce021bd15d1474ced1e7b5dd010133/packages/better-auth/src/plugins/organization/routes/crud-org.ts#L344). If you go this route, be sure to also clean up the `Member` and `Invitation` tables - while the schema does specify foreign key constraints to `Organization`, at least in my PostgreSQL database it is `ON DELETE NO ACTION` so relevant entries need to be removed from those tables, to avoid dangling references to organizations that don't exist any more.

GiteaMirror commented

2026-04-15 15:36:41 -05:00

@sebaFP commented on GitHub (Apr 29, 2025):

Hi

I've been investigating this same issue, and I think we could propose a feature enhancement to handle this use case properly.

Currently, the code checks if the user is a member of the organization before checking their permissions, which causes the 403 error for admin users who aren't organization members.

I suggest adding a new option in the organization configuration, similar to how allowUserToCreateOrganization works, but for deletion:

export interface OrganizationOptions {
  // ... existing options
  allowUserToDeleteOrganization?: boolean | ((user: User) => Promise<boolean> | boolean);
}

This would allow us to:

Define which users can delete organizations regardless of their membership
Keep backwards compatibility
Provide flexibility through a boolean or function approach
Handle both simple (boolean) and complex (function) authorization scenarios

Would you consider adding this feature? It would solve the admin/super-admin use case while maintaining the security of the existing implementation for regular users.

@sebaFP commented on GitHub (Apr 29, 2025): Hi I've been investigating this same issue, and I think we could propose a feature enhancement to handle this use case properly. Currently, the code checks if the user is a member of the organization before checking their permissions, which causes the 403 error for admin users who aren't organization members. I suggest adding a new option in the organization configuration, similar to how `allowUserToCreateOrganization` works, but for deletion: ```typescript export interface OrganizationOptions { // ... existing options allowUserToDeleteOrganization?: boolean | ((user: User) => Promise<boolean> | boolean); } ``` This would allow us to: 1. Define which users can delete organizations regardless of their membership 2. Keep backwards compatibility 3. Provide flexibility through a boolean or function approach 4. Handle both simple (boolean) and complex (function) authorization scenarios Would you consider adding this feature? It would solve the admin/super-admin use case while maintaining the security of the existing implementation for regular users.

GiteaMirror commented

2026-04-15 15:36:42 -05:00

@dosubot[bot] commented on GitHub (Jul 29, 2025):

Hi, @lauthieb. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, encountering a 403 error.
A workaround was shared involving a separate "org-admin" plugin to handle organization deletion, with notes on cleaning up related database entries.
A feature enhancement was proposed to add an option in the organization configuration to allow certain users to delete organizations regardless of membership.
This proposal has received positive feedback from multiple maintainers as a way to balance security with super-admin capabilities.
The issue remains unresolved and open for further discussion or implementation.

Next Steps:

Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion active.
If I do not hear back within 7 days, I will automatically close this issue to help keep the backlog manageable.

Thank you for your understanding and contribution!

@dosubot[bot] commented on GitHub (Jul 29, 2025): Hi, @lauthieb. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, encountering a 403 error. - A workaround was shared involving a separate "org-admin" plugin to handle organization deletion, with notes on cleaning up related database entries. - A feature enhancement was proposed to add an option in the organization configuration to allow certain users to delete organizations regardless of membership. - This proposal has received positive feedback from multiple maintainers as a way to balance security with super-admin capabilities. - The issue remains unresolved and open for further discussion or implementation. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion active. - If I do not hear back within 7 days, I will automatically close this issue to help keep the backlog manageable. Thank you for your understanding and contribution!

GiteaMirror commented

2026-04-15 15:36:43 -05:00

@lauthieb commented on GitHub (Jul 29, 2025):

Hi, @lauthieb. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, encountering a 403 error.

A workaround was shared involving a separate "org-admin" plugin to handle organization deletion, with notes on cleaning up related database entries.

A feature enhancement was proposed to add an option in the organization configuration to allow certain users to delete organizations regardless of membership.

This proposal has received positive feedback from multiple maintainers as a way to balance security with super-admin capabilities.

The issue remains unresolved and open for further discussion or implementation.

Next Steps:

Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion active.

If I do not hear back within 7 days, I will automatically close this issue to help keep the backlog manageable.

Thank you for your understanding and contribution!

This issue is still relevant.

@lauthieb commented on GitHub (Jul 29, 2025): > Hi, [@lauthieb](https://github.com/lauthieb). I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. > > **Issue Summary:** > > * You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, encountering a 403 error. > * A workaround was shared involving a separate "org-admin" plugin to handle organization deletion, with notes on cleaning up related database entries. > * A feature enhancement was proposed to add an option in the organization configuration to allow certain users to delete organizations regardless of membership. > * This proposal has received positive feedback from multiple maintainers as a way to balance security with super-admin capabilities. > * The issue remains unresolved and open for further discussion or implementation. > > **Next Steps:** > > * Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion active. > * If I do not hear back within 7 days, I will automatically close this issue to help keep the backlog manageable. > > Thank you for your understanding and contribution! This issue is still relevant.

GiteaMirror commented

2026-04-15 15:36:43 -05:00

@binajmen commented on GitHub (Aug 8, 2025):

Hi

I've been investigating this same issue, and I think we could propose a feature enhancement to handle this use case properly.

Currently, the code checks if the user is a member of the organization before checking their permissions, which causes the 403 error for admin users who aren't organization members.

I suggest adding a new option in the organization configuration, similar to how allowUserToCreateOrganization works, but for deletion:
export interface OrganizationOptions {
  // ... existing options
  allowUserToDeleteOrganization?: boolean | ((user: User) => Promise<boolean> | boolean);
}
This would allow us to:

Define which users can delete organizations regardless of their membership

Keep backwards compatibility

Provide flexibility through a boolean or function approach

Handle both simple (boolean) and complex (function) authorization scenarios

Would you consider adding this feature? It would solve the admin/super-admin use case while maintaining the security of the existing implementation for regular users.

This looks like a very pragmatic solution. @Bekacru could you validate this approach before someone starts working on a PR?

@binajmen commented on GitHub (Aug 8, 2025): > Hi > > I've been investigating this same issue, and I think we could propose a feature enhancement to handle this use case properly. > > Currently, the code checks if the user is a member of the organization before checking their permissions, which causes the 403 error for admin users who aren't organization members. > > I suggest adding a new option in the organization configuration, similar to how `allowUserToCreateOrganization` works, but for deletion: > > ```typescript > export interface OrganizationOptions { > // ... existing options > allowUserToDeleteOrganization?: boolean | ((user: User) => Promise<boolean> | boolean); > } > ``` > > This would allow us to: > 1. Define which users can delete organizations regardless of their membership > 2. Keep backwards compatibility > 3. Provide flexibility through a boolean or function approach > 4. Handle both simple (boolean) and complex (function) authorization scenarios > > Would you consider adding this feature? It would solve the admin/super-admin use case while maintaining the security of the existing implementation for regular users. > This looks like a very pragmatic solution. @Bekacru could you validate this approach before someone starts working on a PR?

GiteaMirror commented

2026-04-15 15:36:44 -05:00

@stonecobra commented on GitHub (Nov 5, 2025):

Would you need to also add a allowUserToEditOrganization, as the /organization/get-full-organization endpoint also checks membership, but the listOrgs does not, so the admin gets a list that they may not be able to edit or delete

@stonecobra commented on GitHub (Nov 5, 2025): Would you need to also add a allowUserToEditOrganization, as the /organization/get-full-organization endpoint also checks membership, but the listOrgs does not, so the admin gets a list that they may not be able to edit or delete

GiteaMirror commented

2026-04-15 15:36:44 -05:00

@stonecobra commented on GitHub (Nov 5, 2025):

@okisdev that would work perfectly for my use case. Checking for an uber-role to allow managing organizations.

@stonecobra commented on GitHub (Nov 5, 2025): @okisdev that would work perfectly for my use case. Checking for an uber-role to allow managing organizations.

GiteaMirror commented

2026-04-15 15:36:45 -05:00

@dosubot[bot] commented on GitHub (Feb 4, 2026):

Hi, @lauthieb. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, causing 403 errors.
A workaround using a custom "org-admin" plugin was shared by another user.
A feature enhancement was proposed to add an organization config option (allowUserToDeleteOrganization) to allow deletion regardless of membership.
This proposal received positive feedback from maintainers and suggestions to extend similar flexibility to editing permissions.
The issue remains open, awaiting validation and potential implementation of this flexible permission approach.

Next Steps:

Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open.
Otherwise, I will automatically close this issue in 7 days.

Thanks for your understanding and contribution!

@dosubot[bot] commented on GitHub (Feb 4, 2026): Hi, @lauthieb. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that super admins with the "admin" role cannot update or delete organizations unless they are members, causing 403 errors. - A workaround using a custom "org-admin" plugin was shared by another user. - A feature enhancement was proposed to add an organization config option (allowUserToDeleteOrganization) to allow deletion regardless of membership. - This proposal received positive feedback from maintainers and suggestions to extend similar flexibility to editing permissions. - The issue remains open, awaiting validation and potential implementation of this flexible permission approach. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open. - Otherwise, I will automatically close this issue in 7 days. Thanks for your understanding and contribution!

GiteaMirror commented

2026-04-15 15:36:46 -05:00

@lauthieb commented on GitHub (Feb 4, 2026):

Hello, I think it is still relevant.

@lauthieb commented on GitHub (Feb 4, 2026): Hello, I think it is still relevant.

GiteaMirror commented

2026-04-15 15:36:47 -05:00

@sandros94 commented on GitHub (Feb 12, 2026):

New to better-auth, but as far as I understand it you (platform owner) completely lose control of organizations?

In the current state you are not able to neither create, list, update and delete orgs?

@sandros94 commented on GitHub (Feb 12, 2026): New to better-auth, but as far as I understand it you (platform owner) completely lose control of organizations? In the current state you are not able to neither create, list, update and delete orgs?

GiteaMirror commented

2026-04-15 15:36:48 -05:00

@ivbaklan2012 commented on GitHub (Mar 19, 2026):

Can I suggest a proposal: it would be very useful to have a "super-admin" be able to perform any actions on the organizations (i.e. adding/removing members, making teams, etc.) and not only update/delete an org.

@ivbaklan2012 commented on GitHub (Mar 19, 2026): Can I suggest a proposal: it would be very useful to have a "super-admin" be able to perform any actions on the organizations (i.e. adding/removing members, making teams, etc.) and not only update/delete an org.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#17465