[Vulnerability]Ignoring tenant filters can result in cross-tenant unauthorized authorization attacks

[vincywindy]

Documentation

Please check the official documentation before asking questions: https://aspnetboilerplate.com/Pages/Documents

GitHub Issues

GitHub issues are for bug reports, feature requests and other discussions about the framework.

If you're creating a bug/problem report, please include followings:

• Your Abp package version.9.0
• Your base framework: .Net Framework or .Net Core. .net 8
• Exception message and stack trace if available.
• Steps needed to reproduce the problem.

Please write in English.

Stack Overflow

Please use Stack Overflow for your questions about using the framework, templates and samples:

https://stackoverflow.com/questions/tagged/aspnetboilerplate

Use aspnetboilerplate tag in your questions.

Here is an example:
A permission named "TestPermission"
Two or more Tenants:(Tenant1,Tenant2....)
Each Tenants has a same rolename like "testrole"
testrole in Tenant1 has TestPermission
testrole in Tenant2 denied TestPermission
Here is an example appservice for the “TestPermission”

user1 has testrole in Tenant1, it will return true,because testrole in Tenant1 has TestPermission
user2 has testrole in Tenant2, it will return false,because testrole in Tenant2 none TestPermission，but it return true!
The reason is AbpRoleStore.FindByNameAsync search by name,when MayHaveTenant is disable, it will get other rolename cross tenant.

[m-aliozkaya]

Hi @vincywindy,

I tested your pull request and reviewed the code. But such a change is not suitable for the architecture of the boilerplate. If we think like this, we would need to make similar changes in many places. Adding extra tenant filters in many places for developers would not be very sustainable. Instead, we often recommend not removing the MayHaveTenant filter.