[PR #4087] [MERGED] feat(org): Dynamic Access Control #5179

New Issue

GiteaMirror · 2026-03-13T12:13:07-05:00

GiteaMirror commented

2026-03-13 12:13:07 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/4087
Author: @ping-maxwell
Created: 8/19/2025
Status: ✅ Merged
Merged: 8/31/2025
Merged by: @himself65

Base: canary ← Head: feat/org/dynamic-access-control

📝 Commits (10+)

3aab358 feat(org): Dynamic Access Control
3220968 chore: lint
13e2544 fix: cubic suggestions
7a9ad2a update: code cleanup
be9d9b6 Merge branch 'canary' into feat/org/dynamic-access-control
221c276 Merge branch 'canary' into feat/org/dynamic-access-control
25c46d2 Merge branch 'canary' into feat/org/dynamic-access-control
67dc465 Merge branch 'canary' into feat/org/dynamic-access-control
78508ab Update packages/better-auth/src/plugins/organization/routes/crud-access-control.ts
0ce66a1 update: added onUpdate

📊 Changes

15 files changed (+3042 additions, -100 deletions)

View changed files

📝 docs/content/docs/plugins/organization.mdx (+460 -0)
📝 packages/better-auth/src/adapters/kysely-adapter/test/state.txt (+1 -1)
📝 packages/better-auth/src/plugins/organization/access/statement.ts (+4 -0)
📝 packages/better-auth/src/plugins/organization/client.ts (+16 -3)
📝 packages/better-auth/src/plugins/organization/has-permission.ts (+105 -9)
📝 packages/better-auth/src/plugins/organization/organization.test.ts (+21 -9)
📝 packages/better-auth/src/plugins/organization/organization.ts (+92 -9)
➕ packages/better-auth/src/plugins/organization/routes/crud-access-control.test.ts (+641 -0)
➕ packages/better-auth/src/plugins/organization/routes/crud-access-control.ts (+1377 -0)
📝 packages/better-auth/src/plugins/organization/routes/crud-invites.ts (+22 -12)
📝 packages/better-auth/src/plugins/organization/routes/crud-members.ts (+26 -14)
📝 packages/better-auth/src/plugins/organization/routes/crud-org.ts (+20 -12)
📝 packages/better-auth/src/plugins/organization/routes/crud-team.ts (+53 -30)
📝 packages/better-auth/src/plugins/organization/schema.ts (+10 -0)
📝 packages/better-auth/src/plugins/organization/types.ts (+194 -1)

📄 Description

https://github.com/better-auth/better-auth/issues/2743

additional fields support
tests
documentation

Summary by cubic

Add Dynamic Access Control for organizations so you can create, read, update, and delete org-specific roles at runtime, with async permission checks that include those dynamic roles. This keeps static roles working and unlocks flexible, DB-backed role management.

New Features
- New organizationRole table and endpoints: create-role, delete-role, list-roles, get-role, update-role.
- hasPermission is now async and loads dynamic roles from the DB; new clientSideHasPermission for client-only checks.
- Added ac resource to default statements; owner/admin get create/read/update/delete; member gets read.
- Config: dynamicAccessControl.enabled, validateRoleName, allowCreating/Updating/Deleting/Listing/GettingRole, normalizeRoleName, maximumRolesPerOrganization.
- organizationRole supports additionalFields; infer on client via inferOrgAdditionalFields.
- Updated org/team/invite/member routes to await hasPermission.
Migration
- Run DB migration to add the organizationRole table.
- Server: provide a shared ac instance and enable dynamicAccessControl in the organization plugin.
- Client: enable dynamicAccessControl in organizationClient; optionally use inferOrgAdditionalFields.
- Update code to await hasPermission and pass organizationId when available.
- Note: checkRolePermission runs on the client and does not include dynamic roles; use hasPermission for dynamic role checks.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/4087 **Author:** [@ping-maxwell](https://github.com/ping-maxwell) **Created:** 8/19/2025 **Status:** ✅ Merged **Merged:** 8/31/2025 **Merged by:** [@himself65](https://github.com/himself65) **Base:** `canary` ← **Head:** `feat/org/dynamic-access-control` --- ### 📝 Commits (10+) - [`3aab358`](https://github.com/better-auth/better-auth/commit/3aab358f30e6791d13af2e96cdb8bf455f21d117) feat(org): Dynamic Access Control - [`3220968`](https://github.com/better-auth/better-auth/commit/32209687e33baf2b971276dfad4409e6e763510e) chore: lint - [`13e2544`](https://github.com/better-auth/better-auth/commit/13e254428de196fc9b8d75698266f8797f701019) fix: cubic suggestions - [`7a9ad2a`](https://github.com/better-auth/better-auth/commit/7a9ad2a0b03eaebf09f02cc99846a61773bafe49) update: code cleanup - [`be9d9b6`](https://github.com/better-auth/better-auth/commit/be9d9b68be2d7e9a91d5a80c75076cdef27485db) Merge branch 'canary' into feat/org/dynamic-access-control - [`221c276`](https://github.com/better-auth/better-auth/commit/221c27611d05c77658ff253eb2ea15ab4035f8d5) Merge branch 'canary' into feat/org/dynamic-access-control - [`25c46d2`](https://github.com/better-auth/better-auth/commit/25c46d2f5be4e5af1e952fa4cfb47550f77ea2f5) Merge branch 'canary' into feat/org/dynamic-access-control - [`67dc465`](https://github.com/better-auth/better-auth/commit/67dc4659638ed0561e7d3dffac7d80bec5cc804f) Merge branch 'canary' into feat/org/dynamic-access-control - [`78508ab`](https://github.com/better-auth/better-auth/commit/78508ab6af1e2dfce097ff91f792b816e1044fac) Update packages/better-auth/src/plugins/organization/routes/crud-access-control.ts - [`0ce66a1`](https://github.com/better-auth/better-auth/commit/0ce66a1e0a549fd7ddea0f0b349ad6c36d92788f) update: added onUpdate ### 📊 Changes **15 files changed** (+3042 additions, -100 deletions) <details> <summary>View changed files</summary> 📝 `docs/content/docs/plugins/organization.mdx` (+460 -0) 📝 `packages/better-auth/src/adapters/kysely-adapter/test/state.txt` (+1 -1) 📝 `packages/better-auth/src/plugins/organization/access/statement.ts` (+4 -0) 📝 `packages/better-auth/src/plugins/organization/client.ts` (+16 -3) 📝 `packages/better-auth/src/plugins/organization/has-permission.ts` (+105 -9) 📝 `packages/better-auth/src/plugins/organization/organization.test.ts` (+21 -9) 📝 `packages/better-auth/src/plugins/organization/organization.ts` (+92 -9) ➕ `packages/better-auth/src/plugins/organization/routes/crud-access-control.test.ts` (+641 -0) ➕ `packages/better-auth/src/plugins/organization/routes/crud-access-control.ts` (+1377 -0) 📝 `packages/better-auth/src/plugins/organization/routes/crud-invites.ts` (+22 -12) 📝 `packages/better-auth/src/plugins/organization/routes/crud-members.ts` (+26 -14) 📝 `packages/better-auth/src/plugins/organization/routes/crud-org.ts` (+20 -12) 📝 `packages/better-auth/src/plugins/organization/routes/crud-team.ts` (+53 -30) 📝 `packages/better-auth/src/plugins/organization/schema.ts` (+10 -0) 📝 `packages/better-auth/src/plugins/organization/types.ts` (+194 -1) </details> ### 📄 Description https://github.com/better-auth/better-auth/issues/2743 - [x] additional fields support - [x] tests - [x] [documentation](https://better-auth-docs-git-fork-ping-maxwell-feat-75babf-better-auth.vercel.app/docs/plugins/organization#dynamic-access-control) <img width="893" height="895" alt="image" src="https://github.com/user-attachments/assets/cae6a3ba-6acb-4ee5-b225-fc36d2cfb20c" /> <img width="293" height="585" alt="image" src="https://github.com/user-attachments/assets/1c79c296-584d-4011-bb6f-3fd5d57be81d" />  --- ## Summary by cubic Add Dynamic Access Control for organizations so you can create, read, update, and delete org-specific roles at runtime, with async permission checks that include those dynamic roles. This keeps static roles working and unlocks flexible, DB-backed role management. - New Features - New organizationRole table and endpoints: create-role, delete-role, list-roles, get-role, update-role. - hasPermission is now async and loads dynamic roles from the DB; new clientSideHasPermission for client-only checks. - Added ac resource to default statements; owner/admin get create/read/update/delete; member gets read. - Config: dynamicAccessControl.enabled, validateRoleName, allowCreating/Updating/Deleting/Listing/GettingRole, normalizeRoleName, maximumRolesPerOrganization. - organizationRole supports additionalFields; infer on client via inferOrgAdditionalFields. - Updated org/team/invite/member routes to await hasPermission. - Migration - Run DB migration to add the organizationRole table. - Server: provide a shared ac instance and enable dynamicAccessControl in the organization plugin. - Client: enable dynamicAccessControl in organizationClient; optionally use inferOrgAdditionalFields. - Update code to await hasPermission and pass organizationId when available. - Note: checkRolePermission runs on the client and does not include dynamic roles; use hasPermission for dynamic role checks.  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-13 12:13:07 -05:00

GiteaMirror closed this issue

2026-03-13 12:13:08 -05:00

GiteaMirror referenced this issue

2026-03-13 12:37:54 -05:00

[PR #5179] [MERGED] docs: fix AdapterDebugLogs type to DBAdapterDebugLogOption #5828

GiteaMirror referenced this issue

2026-04-13 09:18:07 -05:00

[PR #5179] [MERGED] docs: fix AdapterDebugLogs type to DBAdapterDebugLogOption #14075

GiteaMirror referenced this issue

2026-04-15 21:14:24 -05:00

[PR #5179] [MERGED] docs: fix AdapterDebugLogs type to DBAdapterDebugLogOption #22729

GiteaMirror referenced this issue

2026-04-17 22:18:07 -05:00

[PR #5179] [MERGED] docs: fix AdapterDebugLogs type to DBAdapterDebugLogOption #31429

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#5179