feat(auth): expose isPlatformAdmin on the customSession user#1859
Merged
Conversation
The session payload already derives an `admin` role when the user is a platform admin or active-org admin, but it never surfaces the underlying platform-admin boolean. Console action `visible` CEL predicates need to distinguish platform-admin-only actions (e.g. sys_environment.change_plan) from org-admin actions, which a coarse `admin` role cannot do. Capture the platform-admin check once and attach `isPlatformAdmin` to both customSession return paths. Org-admins who are not platform admins get `isPlatformAdmin: false` (correct — those actions are platform-admin-only). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-actions
Bot
added
documentation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Attach an
isPlatformAdminboolean to the better-authcustomSessionuser payload (both return paths).Why
The session already derives a coarse
adminrole for platform admins or active-org admins, but never surfaces the underlying platform-admin signal. Console actionvisibleCEL predicates need to gate platform-admin-only actions (e.g.sys_environment.change_plan, labeled "Change Plan (admin)") — today a regular user sees the button and clicking it 403s. Theadminrole alone can't distinguish org-admin from platform-admin.Change
packages/plugins/plugin-auth/src/auth-manager.ts: captureconst platformAdmin = await isPlatformAdmin()once, reuse it for the existingpromotelogic, and addisPlatformAdmin: platformAdminto both customSession returns. Org-admins who are not platform admins correctly getfalse.Real authz stays server-side; this only enables a UX visibility gate downstream (objectui + cloud).
Validation
turbo build --filter=@objectstack/plugin-authgreen incl. DTS@objectstack/plugin-authtests: 114/114 pass🤖 Generated with Claude Code