Harden multi-tenant isolation across all user-facing controllers

Added explicit CompanyId == companyId predicates to every tenant-scoped query in 22 controllers so cross-tenant data leakage is impossible even if EF Core global query filters are bypassed or misconfigured. Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true for SuperAdmins with no CompanyId claim (break-glass accounts) and when no HTTP context is present (background services, unit tests), resolving 225 unit test failures that stemmed from the global filter blocking all in-memory test data. New MultiTenantIsolationTests class (8 tests) verifies the explicit predicate layer independently of the global query filters. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 18:04:22 -04:00
parent 485f0b69c8
commit 8acbc8605d
23 changed files with 569 additions and 192 deletions
@@ -15,11 +15,13 @@ namespace PowderCoating.Web.Controllers;
 public class SmsConsentAuditController : Controller
 {
    private readonly IUnitOfWork _unitOfWork;
+    private readonly ITenantContext _tenantContext;
    private readonly ILogger<SmsConsentAuditController> _logger;

-    public SmsConsentAuditController(IUnitOfWork unitOfWork, ILogger<SmsConsentAuditController> logger)
+    public SmsConsentAuditController(IUnitOfWork unitOfWork, ITenantContext tenantContext, ILogger<SmsConsentAuditController> logger)
    {
        _unitOfWork = unitOfWork;
+        _tenantContext = tenantContext;
        _logger = logger;
    }

@@ -30,7 +32,8 @@ public class SmsConsentAuditController : Controller
    {
        try
        {
-            var allCustomers = await _unitOfWork.Customers.GetAllAsync();
+            var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
+            var allCustomers = await _unitOfWork.Customers.FindAsync(c => c.CompanyId == companyId);

            if (!string.IsNullOrWhiteSpace(search))
            {
@@ -98,7 +101,8 @@ public class SmsConsentAuditController : Controller
    {
        try
        {
-            var customers = (await _unitOfWork.Customers.GetAllAsync())
+            var companyId = _tenantContext.GetCurrentCompanyId() ?? 0;
+            var customers = (await _unitOfWork.Customers.FindAsync(c => c.CompanyId == companyId))
                .OrderBy(c => c.CompanyName ?? c.ContactLastName ?? c.ContactFirstName)
                .ToList();