Error when resetting password for tenant admin in host context
Is there an existing issue for this?
- [x] I have searched the existing issues
Description
By default tenant's first user is admin on my system.
When the user is a host (no tenant selected and has a specific role), the middleware executes dataFilter.Disable<IMultiTenant>();, allowing access to all data. However, when using the "Set Password" modal on the identity/users page to reset the password for a tenant admin, I encounter the following error:
Error: "Username 'admin' is already taken."
Request URL:
api/identity/users/3a161345-51cd-fb9c-2d79-d0f77090af2e/change-password
Response:
{
"error": {
"code": "Volo.Abp.Identity:DuplicateUserName",
"message": "Username 'admin' is already taken.",
"details": null,
"data": {
"0": "admin"
},
"validationErrors": null
}
}
Additional Context:
- The issue occurs when the
IMultiTenantfilter is disabled (conditionally) , suggesting a possible conflict in username validation across tenants.
the middleware
public class MultiTenancyFilterMiddleware
{
// ... removed some code for brevity
public async Task InvokeAsync(HttpContext context, IDataFilter dataFilter, ICurrentUser currentUser, ICurrentTenant currentTenant)
{
var shouldDisableMultiTenancy = currentUser.IsAuthenticated && currentUser.TenantId == null
&& currentUser.Roles.Any(role => role.ToLower() == RequiredRole);
if (shouldDisableMultiTenancy)
dataFilter.Disable<IMultiTenant>();
else
dataFilter.Enable<IMultiTenant>();
await _next(context);
}
}
Reproduction Steps
Steps to Reproduce:
- Log in as a host user with a role that disables the
IMultiTenantfilter. - Navigate to the
identity/userspage. - Attempt to reset the password for a tenant admin using the "Set Password" modal.
Expected behavior
The password reset should complete successfully without a duplicate username error.
Actual behavior
The system throws a "Username 'admin' is already taken" error.
Regression?
No response
Known Workarounds
No response
Version
8.3.0
User Interface
Angular
Database Provider
EF Core (Default)
Tiered or separate authentication server
None (Default)
Operation System
macOS
Other information
No response
hi
First, you can use using to disable the filter in middleware. dataFilter.Disable will be global and also affect background jobs...
if (shouldDisableMultiTenancy)
{
using(dataFilter.Disable<IMultiTenant>())
{
await _next(context);
}
}
else
{
await _next(context);
}
However, filters should be disabled within the smallest scope. Otherwise, similar problems may occur.
You may need to override some application services to disable the filter for some methods.
Identity will verify for duplicate names when updating users and roles. In this case, you must override the default validators or User/RoleManager and re-enable the filter.
https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/UserValidator.cs#L17 https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/RoleValidator.cs#L15 https://github.com/abpframework/abp/blob/dev/modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/AbpIdentityUserValidator.cs#L9
https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/UserManager.cs#L2299-L2328 https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/RoleManager.cs#L397-L418
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.