-
Harden multi-tenant isolation across all user-facing controllers
spouliot released this
2026-05-17 18:04:22 -04:00 | 116 commits to master since this releaseAdded explicit CompanyId == companyId predicates to every tenant-scoped
query in 22 controllers so cross-tenant data leakage is impossible even
if EF Core global query filters are bypassed or misconfigured.Also fixed ApplicationDbContext.IsPlatformAdmin to correctly return true
for SuperAdmins with no CompanyId claim (break-glass accounts) and when
no HTTP context is present (background services, unit tests), resolving
225 unit test failures that stemmed from the global filter blocking all
in-memory test data.New MultiTenantIsolationTests class (8 tests) verifies the explicit
predicate layer independently of the global query filters.Co-Authored-By: Claude Sonnet 4.6 noreply@anthropic.com
Downloads