Harden multi-tenant isolation across all user-facing controllers

Added explicit CompanyId == companyId predicates to every tenant-scoped query in 22 controllers so cross-tenant data leakage is impossible even if EF Core global query filters are bypassed or misconfigured. Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true for SuperAdmins with no CompanyId claim (break-glass accounts) and when no HTTP context is present (background services, unit tests), resolving 225 unit test failures that stemmed from the global filter blocking all in-memory test data. New MultiTenantIsolationTests class (8 tests) verifies the explicit predicate layer independently of the global query filters. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 18:04:22 -04:00
parent 485f0b69c8
commit 8acbc8605d
23 changed files with 569 additions and 192 deletions
@@ -60,10 +60,11 @@ public class AccountingExportController : Controller
    {
        var start         = startDate.Date;
        var end           = endDate.Date.AddDays(1).AddTicks(-1);
+        var companyId     = _tenantContext.GetCurrentCompanyId() ?? 0;

        // ── Load data ─────────────────────────────────────────────────────────
        var invoices = (await _unitOfWork.Invoices.FindAsync(
-                i => i.InvoiceDate >= start && i.InvoiceDate <= end,
+                i => i.CompanyId == companyId && i.InvoiceDate >= start && i.InvoiceDate <= end,
                false,
                i => i.InvoiceItems,
                i => i.Payments,
@@ -72,7 +73,7 @@ public class AccountingExportController : Controller
            .ToList();

        var expenses = (await _unitOfWork.Expenses.FindAsync(
-                e => e.Date >= start && e.Date <= end,
+                e => e.CompanyId == companyId && e.Date >= start && e.Date <= end,
                false,
                e => e.Vendor,
                e => e.ExpenseAccount,
@@ -82,7 +83,7 @@ public class AccountingExportController : Controller

        var bills = await _unitOfWork.Bills.GetForDateRangeAsync(start, end);

-        var customers = (await _unitOfWork.Customers.GetAllAsync())
+        var customers = (await _unitOfWork.Customers.FindAsync(c => c.CompanyId == companyId))
            .OrderBy(c => c.CompanyName ?? c.ContactFirstName)
            .ToList();