From ca9ddbd90f0828fb9e639bcc6ba0601f536eccdc Mon Sep 17 00:00:00 2001 From: sbwalker Date: Thu, 4 Sep 2025 14:01:42 -0400 Subject: [PATCH] fix #5570 - multi-database installation authentication issue --- Oqtane.Server/Security/PrincipalValidator.cs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Oqtane.Server/Security/PrincipalValidator.cs b/Oqtane.Server/Security/PrincipalValidator.cs index 45e99c34..b45ec366 100644 --- a/Oqtane.Server/Security/PrincipalValidator.cs +++ b/Oqtane.Server/Security/PrincipalValidator.cs @@ -31,11 +31,11 @@ namespace Oqtane.Security var userManager = context.HttpContext.RequestServices.GetService(typeof(IUserManager)) as IUserManager; var user = userManager.GetUser(context.Principal.UserId(), alias.SiteId); // cached - // check if user is valid, not deleted, has roles, and security stamp has not changed - if (user != null && !user.IsDeleted && !string.IsNullOrEmpty(user.Roles) && context.Principal.SecurityStamp() == user.SecurityStamp) + // check if user is valid, not deleted, has roles, and security stamp has not changed for this tenant + if (user != null && !user.IsDeleted && !string.IsNullOrEmpty(user.Roles) && (context.Principal.SecurityStamp() == user.SecurityStamp || context.Principal.SiteKey() != alias.SiteKey)) { - // validate sitekey in case user has changed sites in installation - if (context.Principal.SiteKey() != alias.SiteKey || !context.Principal.Roles().Any()) + // validate security stamp and sitekey (in case user has changed tenants/sites in installation) + if (context.Principal.SecurityStamp() != user.SecurityStamp || context.Principal.SiteKey() != alias.SiteKey || !context.Principal.Roles().Any()) { // refresh principal var identity = UserSecurity.CreateClaimsIdentity(alias, user);