fix: check if user exists before banning the user (#4649)

Co-authored-by: KinfeMichael Tariku <65047246+Kinfe123@users.noreply.github.com> Co-authored-by: Alex Yang <himself65@outlook.com>

Author: 3 people

packages/better-auth/src/plugins/admin/admin.test.ts

@@ -979,17 +979,100 @@ describe("access control", async (it) => {
 expect(canUpdateOrderAndUpdateUser.success).toBe(false);
 });
 
+it("should prioritize role over userId when both are provided", async () => {
+const testUser = await client.signUp.email({
+email: "rolepriority@test.com",
+password: "password",
+name: "Role Priority Test User",
+});
+const userId = testUser.data?.user.id;
+
+const checkWithAdminRole = await auth.api.userHasPermission({
+body: {
+userId: userId, // non-admin user ID
+role: "admin", // admin role
+permission: {
+user: ["create"],
+},
+},
+});
+expect(checkWithAdminRole.success).toBe(true);
+
+const checkWithUserRole = await auth.api.userHasPermission({
+body: {
+userId: userId, // non-admin user ID
+role: "user", // user role
+permission: {
+user: ["create"],
+},
+},
+});
+expect(checkWithUserRole.success).toBe(false);
+});
+
+it("should check permissions correctly for banned user with role provided", async () => {
+const bannedUser = await client.signUp.email({
+email: "bannedwithRole@test.com",
+password: "password",
+name: "Banned Role Test User",
+});
+const bannedUserId = bannedUser.data?.user.id;
+
+await client.admin.banUser(
+{
+userId: bannedUserId || "",
+banReason: "Testing role priority",
+},
+{
+headers: headers,
+},
+);
+
+const checkWithRole = await auth.api.userHasPermission({
+body: {
+userId: bannedUserId, // banned user ID
+role: "admin", // admin role
+permission: {
+user: ["create"],
+},
+},
+});
+expect(checkWithRole.success).toBe(true);
+
+const checkWithoutRole = await auth.api.userHasPermission({
+body: {
+userId: bannedUserId, // banned user ID only
+permission: {
+user: ["create"],
+},
+},
+});
+expect(checkWithoutRole.success).toBe(false); // User doesn't have admin permissions
+
+await client.admin.unbanUser(
+{
+userId: bannedUserId || "",
+},
+{
+headers: headers,
+},
+);
+});
+
 it("shouldn't allow to list users", async () => {
 const { headers } = await signInWithTestUser();
 const adminRes = await client.admin.listUsers({
 query: {
-limit: 2,
+limit: 10,
 },
 fetchOptions: {
 headers,
 },
 });
-expect(adminRes.data?.users.length).toBe(1);
+// The exact count may vary based on users created in previous tests
+const adminCount = adminRes.data?.users.length || 0;
+expect(adminCount).toBeGreaterThan(0); // Should have at least the admin user
+
 const userHeaders = new Headers();
 await client.signUp.email(
 {

packages/better-auth/src/plugins/admin/admin.ts

@@ -21,6 +21,7 @@ import {
 type InferAdminRolesFromOption,
 } from "./types";
 import { schema } from "./schema";
+import { BASE_ERROR_CODES } from "../../error/codes";
 
 function parseRoles(roles: string | string[]): string {
 return Array.isArray(roles) ? roles.join(",") : roles;
@@ -909,6 +910,16 @@ export const admin = <O extends AdminOptions>(options?: O) => {
 });
 }
 
+const foundUser = await ctx.context.internalAdapter.findUserById(
+ctx.body.userId,
+);
+
+if (!foundUser) {
+throw new APIError("NOT_FOUND", {
+message: BASE_ERROR_CODES.USER_NOT_FOUND,
+});
+}
+
 if (ctx.body.userId === ctx.context.session.user.id) {
 throw new APIError("BAD_REQUEST", {
 message: ADMIN_ERROR_CODES.YOU_CANNOT_BAN_YOURSELF,