github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #5203] feat(admin): add special permissions support for dynamic user permissions #31448

New Issue
Open
opened 2026-04-17 22:19:14 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-17 22:19:14 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/5203
Author: @iserdmi
Created: 10/10/2025
Status: 🔄 Open

Base: nextHead: feat/admin-special-permissions

📝 Commits (4)

  • f2c0a87 feat(admin): add special permissions support for dynamic user permissions
  • cfb9c14 feat(admin): add getUserFinalPermissions endpoint and utility
  • d6a423d refactor(admin): simplify special permissions implementation
  • c4df0bf refactor(admin): improve multi-role permission merging in getFinalPermissions

📊 Changes

7 files changed (+766 additions, -12 deletions)

View changed files

📝 packages/better-auth/src/plugins/admin/admin.test.ts (+449 -0)
📝 packages/better-auth/src/plugins/admin/admin.ts (+197 -11)
📝 packages/better-auth/src/plugins/admin/client.ts (+8 -0)
packages/better-auth/src/plugins/admin/final-permissions.ts (+56 -0)
📝 packages/better-auth/src/plugins/admin/has-permission.ts (+29 -1)
📝 packages/better-auth/src/plugins/admin/schema.ts (+5 -0)
📝 packages/better-auth/src/plugins/admin/types.ts (+22 -0)

📄 Description

Description

This PR adds support for special roles with custom per-user permissions in the admin plugin, enabling more granular access control beyond predefined role-based permissions.

Changes

  • Add specialPermissions JSON field to user schema
  • Add specialAdminRole and specialNonAdminRole configuration options
  • Update hasPermission logic to check special permissions when provided
  • Add getUserFinalPermissions endpoint and utility for computed permissions
  • Add client-side support for special permissions validation
  • Add comprehensive tests for special permissions functionality

Testing

  • All existing tests pass
  • Added new test suite for special permissions
  • Linting passes

Breaking Changes

None - this is a backward-compatible feature addition.

Example

const ac = createAccessControl({
  user: [
    "create",
    "read",
    "update",
    "delete",
    "list",
    "bulk-delete",
    "set-role",
  ],
  order: ["create", "read", "update", "delete", "update-many"],
});

const adminAc = ac.newRole({
  user: ["create", "read", "update", "delete", "list", "set-role"],
  order: ["create", "read", "update", "delete"],
});
const userAc = ac.newRole({
  user: ["read"],
  order: ["read"],
});
const adminSpecialAc = ac.newRole({
  user: [],
  order: [],
});
const userSpecialAc = ac.newRole({
  user: [],
  order: [],
});

export const auth = betterAuth({
  plugins: [
    admin({
      ac,
      roles: {
        admin: adminAc,
        user: userAc,
        adminSpecial: adminSpecialAc,
        userSpecial: userSpecialAc,
      },
      adminRoles: ["admin", "adminSpecial"],
      specialRoles: ["adminSpecial", "userSpecial"],
    }),
  ],
});

await client.admin.setRole(
  {
    userId: "any-user-id",
    role: "adminSpecial",
    specialPermissions: {
      user: ["create", "read", "update", "delete"], // typed correctly
      // partial
    },
  },
  {
    headers: adminHeaders,
  },
);

Summary by cubic

Adds special roles with per-user permissions to the admin plugin, enabling granular access beyond static role-based rules. Also adds an API to fetch a user’s final computed permissions and client-side validation support.

  • New Features
    • Add specialPermissions field to users and new specialAdminRole/specialNonAdminRole options.
    • Update hasPermission to honor per-user special permissions for special roles.
    • Add getFinalPermissions utility and /admin/get-user-final-permissions API.
    • Add client.admin.checkRolePermission support for specialPermissions.
    • Add tests for special roles and final permissions.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/5203 **Author:** [@iserdmi](https://github.com/iserdmi) **Created:** 10/10/2025 **Status:** 🔄 Open **Base:** `next` ← **Head:** `feat/admin-special-permissions` --- ### 📝 Commits (4) - [`f2c0a87`](https://github.com/better-auth/better-auth/commit/f2c0a87c20adfacfb5226ac7ab0c4627b1cdd7c6) feat(admin): add special permissions support for dynamic user permissions - [`cfb9c14`](https://github.com/better-auth/better-auth/commit/cfb9c14eeef3fb9a637d883b44f0ac25f7ec20ac) feat(admin): add getUserFinalPermissions endpoint and utility - [`d6a423d`](https://github.com/better-auth/better-auth/commit/d6a423d0828085762dd6ad76b6ae412fc369863b) refactor(admin): simplify special permissions implementation - [`c4df0bf`](https://github.com/better-auth/better-auth/commit/c4df0bf3158cc5e3756d6050c17df515254048de) refactor(admin): improve multi-role permission merging in getFinalPermissions ### 📊 Changes **7 files changed** (+766 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/plugins/admin/admin.test.ts` (+449 -0) 📝 `packages/better-auth/src/plugins/admin/admin.ts` (+197 -11) 📝 `packages/better-auth/src/plugins/admin/client.ts` (+8 -0) ➕ `packages/better-auth/src/plugins/admin/final-permissions.ts` (+56 -0) 📝 `packages/better-auth/src/plugins/admin/has-permission.ts` (+29 -1) 📝 `packages/better-auth/src/plugins/admin/schema.ts` (+5 -0) 📝 `packages/better-auth/src/plugins/admin/types.ts` (+22 -0) </details> ### 📄 Description ## Description This PR adds support for special roles with custom per-user permissions in the admin plugin, enabling more granular access control beyond predefined role-based permissions. ## Changes - Add `specialPermissions` JSON field to user schema - Add `specialAdminRole` and `specialNonAdminRole` configuration options - Update `hasPermission` logic to check special permissions when provided - Add `getUserFinalPermissions` endpoint and utility for computed permissions - Add client-side support for special permissions validation - Add comprehensive tests for special permissions functionality ## Testing - All existing tests pass - Added new test suite for special permissions - Linting passes ## Breaking Changes None - this is a backward-compatible feature addition. ## Example ```ts const ac = createAccessControl({ user: [ "create", "read", "update", "delete", "list", "bulk-delete", "set-role", ], order: ["create", "read", "update", "delete", "update-many"], }); const adminAc = ac.newRole({ user: ["create", "read", "update", "delete", "list", "set-role"], order: ["create", "read", "update", "delete"], }); const userAc = ac.newRole({ user: ["read"], order: ["read"], }); const adminSpecialAc = ac.newRole({ user: [], order: [], }); const userSpecialAc = ac.newRole({ user: [], order: [], }); export const auth = betterAuth({ plugins: [ admin({ ac, roles: { admin: adminAc, user: userAc, adminSpecial: adminSpecialAc, userSpecial: userSpecialAc, }, adminRoles: ["admin", "adminSpecial"], specialRoles: ["adminSpecial", "userSpecial"], }), ], }); await client.admin.setRole( { userId: "any-user-id", role: "adminSpecial", specialPermissions: { user: ["create", "read", "update", "delete"], // typed correctly // partial }, }, { headers: adminHeaders, }, ); ``` <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Adds special roles with per-user permissions to the admin plugin, enabling granular access beyond static role-based rules. Also adds an API to fetch a user’s final computed permissions and client-side validation support. - **New Features** - Add specialPermissions field to users and new specialAdminRole/specialNonAdminRole options. - Update hasPermission to honor per-user special permissions for special roles. - Add getFinalPermissions utility and /admin/get-user-final-permissions API. - Add client.admin.checkRolePermission support for specialPermissions. - Add tests for special roles and final permissions. <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-17 22:19:14 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#31448
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?