Error when resetting password for tenant admin in host context

[mahmut-gundogdu]

Is there an existing issue for this?

• I have searched the existing issues

Description

By default tenant's first user is admin on my system.

When the user is a host (no tenant selected and has a specific role), the middleware executes dataFilter.Disable<IMultiTenant>();, allowing access to all data. However, when using the "Set Password" modal on the identity/users page to reset the password for a tenant admin, I encounter the following error:

Error: "Username 'admin' is already taken."

Request URL:
api/identity/users/3a161345-51cd-fb9c-2d79-d0f77090af2e/change-password

Response:

{
    "error": {
        "code": "Volo.Abp.Identity:DuplicateUserName",
        "message": "Username 'admin' is already taken.",
        "details": null,
        "data": {
            "0": "admin"
        },
        "validationErrors": null
    }
}

Additional Context:

• The issue occurs when the IMultiTenant filter is disabled (conditionally) , suggesting a possible conflict in username validation across tenants.

the middleware

public class MultiTenancyFilterMiddleware
{
// ... removed  some code for brevity

 public async Task InvokeAsync(HttpContext context, IDataFilter dataFilter, ICurrentUser currentUser, ICurrentTenant currentTenant)
    {
        var shouldDisableMultiTenancy =  currentUser.IsAuthenticated && currentUser.TenantId == null
            && currentUser.Roles.Any(role => role.ToLower() == RequiredRole);

        if (shouldDisableMultiTenancy)
            dataFilter.Disable<IMultiTenant>();
        else
            dataFilter.Enable<IMultiTenant>();
        
        await _next(context);
    }
}

Reproduction Steps

Steps to Reproduce:

1. Log in as a host user with a role that disables the IMultiTenant filter.
2. Navigate to the identity/users page.
3. Attempt to reset the password for a tenant admin using the "Set Password" modal.

Expected behavior

The password reset should complete successfully without a duplicate username error.

Actual behavior

The system throws a "Username 'admin' is already taken" error.

Regression?

No response

Known Workarounds

No response

Version

8.3.0

User Interface

Angular

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

macOS

Other information

No response

[maliming]

hi

First, you can use using to disable the filter in middleware. dataFilter.Disable will be global and also affect background jobs...

if (shouldDisableMultiTenancy)
{
      using(dataFilter.Disable<IMultiTenant>())
      {
            await _next(context);
      }
}
else
{
     await _next(context);
}

---

However, filters should be disabled within the smallest scope. Otherwise, similar problems may occur.

You may need to override some application services to disable the filter for some methods.

---

Identity will verify for duplicate names when updating users and roles. In this case, you must override the default validators or User/RoleManager and re-enable the filter.

https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/UserValidator.cs#L17
https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/RoleValidator.cs#L15
https://github.com/abpframework/abp/blob/dev/modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/AbpIdentityUserValidator.cs#L9

https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/UserManager.cs#L2299-L2328
https://github.com/dotnet/aspnetcore/blob/release/9.0/src/Identity/Extensions.Core/src/RoleManager.cs#L397-L418