Merge pull request #5574 from sbwalker/dev

fix #5570 - multi-database installation authentication issue
2025-09-04 14:02:24 -04:00
parent 0d04926d9f ca9ddbd90f
commit 966fc55594
1 changed files with 4 additions and 4 deletions
--- a/Oqtane.Server/Security/PrincipalValidator.cs
+++ b/Oqtane.Server/Security/PrincipalValidator.cs
@ -31,11 +31,11 @@ namespace Oqtane.Security
                        var userManager = context.HttpContext.RequestServices.GetService(typeof(IUserManager)) as IUserManager;
                        var user = userManager.GetUser(context.Principal.UserId(), alias.SiteId); // cached

-                        // check if user is valid, not deleted, has roles, and security stamp has not changed
-                        if (user != null && !user.IsDeleted && !string.IsNullOrEmpty(user.Roles) && context.Principal.SecurityStamp() == user.SecurityStamp)
+                        // check if user is valid, not deleted, has roles, and security stamp has not changed for this tenant
+                        if (user != null && !user.IsDeleted && !string.IsNullOrEmpty(user.Roles) && (context.Principal.SecurityStamp() == user.SecurityStamp || context.Principal.SiteKey() != alias.SiteKey))
                        {
-                            // validate sitekey in case user has changed sites in installation
-                            if (context.Principal.SiteKey() != alias.SiteKey || !context.Principal.Roles().Any())
+                            // validate security stamp and sitekey (in case user has changed tenants/sites in installation)
+                            if (context.Principal.SecurityStamp() != user.SecurityStamp || context.Principal.SiteKey() != alias.SiteKey || !context.Principal.Roles().Any())
                            {
                                // refresh principal
                                var identity = UserSecurity.CreateClaimsIdentity(alias, user);