Open Closed

Urgent issue: Our tenant users are able to log in without selecting a tenant and gaining all permissions. #9478

User avatar
0
rexhxiao created

Version: ABP 9.2.0, using Angular UI and AuthServer.

What could be causing this problem?

Go to accepted answer
4 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    • In ABP Angular UI, multi-tenancy is enforced by sending the selected tenant's ID as the __tenant header on each request. If users can log in without selecting a tenant and receive all permissions, it usually means the tenant resolution is not working as intended.

    • Common causes:

      1. The tenant resolver is not configured or is misconfigured on the AuthServer or API Host. This allows users to authenticate as the host (no tenant) and gain host-level permissions.
      2. The Angular UI is not sending the __tenant header, or the backend is not reading it.
      3. The login page or authentication flow does not require tenant selection, so users are authenticated as the host by default.

    • Solution steps:

      1. Ensure that the tenant resolver is properly configured in your AuthServer and API Host. For example:
      Configure<AbpTenantResolveOptions>(options =>
{
    options.AddDomainTenantResolver("{0}.yourdomain.com");
    options.AddHeaderTenantResolver();
    options.AddCookieTenantResolver();
    options.AddQueryStringTenantResolver();
});
      1. Verify that the Angular application is sending the __tenant header on all requests, especially during login.
      2. If you want to force tenant selection, remove or hide the "host" login option from the UI, and ensure the backend does not allow host logins for regular users.
      3. Review your permissions and roles to ensure host-level permissions are not granted to tenant users.

    • If you have custom login logic, make sure it resolves the tenant before authenticating the user.

    Sources:

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you explain it in more detail?

    What is the username? password?

    Maybe the host has the same user with the same password.

    You can check it in the host user page.

    Thanks.

  • User Avatar
    0
    rexhxiao created

    I’m very sorry—I thought it was a serious issue, so I submitted the report immediately. However, our developer later explained that they manually modified the database user data, which caused the problem. We’ve now confirmed that it was due to human error and a data-related issue. I sincerely apologize for this.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok, : )

    1
Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on July 17, 2025, 06:22