[PR #6699] [MERGED] feat(admin): add support role with permissions for user updates and enforce role change validation #6833

New Issue

GiteaMirror · 2026-03-13T13:13:14-05:00

GiteaMirror commented

2026-03-13 13:13:14 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/6699
Author: @Bekacru
Created: 12/11/2025
Status: ✅ Merged
Merged: 12/11/2025
Merged by: @Bekacru

Base: canary ← Head: fix/admin-role

📝 Commits (8)

805f930 feat: add support role with permissions for user updates and enforce role change validation
91df830 feat: enforce subscription ownership validation in upgrade, cancel, and restore operations
73826de lint
0ab34f3 Update packages/better-auth/src/plugins/admin/routes.ts
687b364 test: add role validation tests for update-user functionality
4c883c3 feat: enhance session listing by omitting token and formatting date fields
a0103d6 fix type
852105d lint

📊 Changes

6 files changed (+279 additions, -9 deletions)

View changed files

📝 packages/better-auth/src/api/routes/session.ts (+16 -4)
📝 packages/better-auth/src/plugins/admin/admin.test.ts (+112 -0)
📝 packages/better-auth/src/plugins/admin/error-codes.ts (+1 -0)
📝 packages/better-auth/src/plugins/admin/routes.ts (+35 -2)
📝 packages/stripe/src/routes.ts (+29 -3)
📝 packages/stripe/src/stripe.test.ts (+86 -0)

📄 Description

Summary by cubic

Adds a Support role with update permissions and secures role changes by requiring the user:set-role permission. Also blocks cross-user subscription actions by validating subscription ownership in upgrade, cancel, and restore.

New Features
- Support role with user:update and order:update; role changes require user:set-role and valid roles (parseRoles runs after validation).
- Session list omits token and returns ISO date strings for timestamps.
Bug Fixes
- Validate subscriptionId belongs to the current referenceId in upgrade/cancel/restore; reject mismatches as "Subscription not found" without calling Stripe.

^{Written for commit 852105d843. Summary will update automatically on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/6699 **Author:** [@Bekacru](https://github.com/Bekacru) **Created:** 12/11/2025 **Status:** ✅ Merged **Merged:** 12/11/2025 **Merged by:** [@Bekacru](https://github.com/Bekacru) **Base:** `canary` ← **Head:** `fix/admin-role` --- ### 📝 Commits (8) - [`805f930`](https://github.com/better-auth/better-auth/commit/805f93017eb3bd395686764a3b4b96ee7a9d1525) feat: add support role with permissions for user updates and enforce role change validation - [`91df830`](https://github.com/better-auth/better-auth/commit/91df830f6ac4e20c5bc5171f4f946032559c3697) feat: enforce subscription ownership validation in upgrade, cancel, and restore operations - [`73826de`](https://github.com/better-auth/better-auth/commit/73826de6fb05c4092b6f57abaafecd81bd996010) lint - [`0ab34f3`](https://github.com/better-auth/better-auth/commit/0ab34f3902395807701082fcefcb592de19564ea) Update packages/better-auth/src/plugins/admin/routes.ts - [`687b364`](https://github.com/better-auth/better-auth/commit/687b364c85539f8b85f9ef924f0803283d546e55) test: add role validation tests for update-user functionality - [`4c883c3`](https://github.com/better-auth/better-auth/commit/4c883c3984463d40b2874c9e2e6759dbfe65c163) feat: enhance session listing by omitting token and formatting date fields - [`a0103d6`](https://github.com/better-auth/better-auth/commit/a0103d618bbe57a328b5d30c8d1302e264cb4684) fix type - [`852105d`](https://github.com/better-auth/better-auth/commit/852105d84327ca881d7a3537dfab19b897d89ac0) lint ### 📊 Changes **6 files changed** (+279 additions, -9 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/api/routes/session.ts` (+16 -4) 📝 `packages/better-auth/src/plugins/admin/admin.test.ts` (+112 -0) 📝 `packages/better-auth/src/plugins/admin/error-codes.ts` (+1 -0) 📝 `packages/better-auth/src/plugins/admin/routes.ts` (+35 -2) 📝 `packages/stripe/src/routes.ts` (+29 -3) 📝 `packages/stripe/src/stripe.test.ts` (+86 -0) </details> ### 📄 Description  ## Summary by cubic Adds a Support role with update permissions and secures role changes by requiring the user:set-role permission. Also blocks cross-user subscription actions by validating subscription ownership in upgrade, cancel, and restore. - **New Features** - Support role with user:update and order:update; role changes require user:set-role and valid roles (parseRoles runs after validation). - Session list omits token and returns ISO date strings for timestamps. - **Bug Fixes** - Validate subscriptionId belongs to the current referenceId in upgrade/cancel/restore; reject mismatches as "Subscription not found" without calling Stripe. <sup>Written for commit 852105d84327ca881d7a3537dfab19b897d89ac0. Summary will update automatically on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-03-13 13:13:14 -05:00

GiteaMirror closed this issue

2026-03-13 13:13:14 -05:00

GiteaMirror referenced this issue

2026-03-13 13:16:52 -05:00

[PR #6833] [MERGED] fix(sso): use default import for zod/v4 #6911

GiteaMirror referenced this issue

2026-03-13 13:30:33 -05:00

[PR #7391] [CLOSED] Add support for Stripe Elements (Embedded) #7278

GiteaMirror referenced this issue

2026-04-13 09:51:38 -05:00

[PR #6833] [MERGED] fix(sso): use default import for zod/v4 #15158

GiteaMirror referenced this issue

2026-04-13 10:04:45 -05:00

[PR #7391] [CLOSED] Add support for Stripe Elements (Embedded) #15525

GiteaMirror referenced this issue

2026-04-15 21:59:49 -05:00

[PR #6833] [MERGED] fix(sso): use default import for zod/v4 #23812

GiteaMirror referenced this issue

2026-04-15 22:13:05 -05:00

[PR #7391] [CLOSED] Add support for Stripe Elements (Embedded) #24179

GiteaMirror referenced this issue

2026-04-17 23:18:48 -05:00

[PR #6833] [MERGED] fix(sso): use default import for zod/v4 #32512

GiteaMirror referenced this issue

2026-04-17 23:35:25 -05:00

[PR #7391] [CLOSED] Add support for Stripe Elements (Embedded) #32879

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#6833