Validate parent organization unit tenant on create and move#25357
Merged
Validate parent organization unit tenant on create and move#25357
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the Identity module's organization-unit domain logic by validating that a parent organization unit belongs to the same tenant during create and move operations, preventing cross-tenant ParentId references from being persisted.
Changes:
- Adds parent-tenant validation to
OrganizationUnitManager.CreateAsyncandMoveAsync. - Introduces a new Identity error code for parent-tenant mismatches.
- Adds domain tests and localization entries for the new validation error.
Reviewed changes
Copilot reviewed 30 out of 30 changed files in this pull request and generated 26 comments.
Show a summary per file
| File | Description |
|---|---|
modules/identity/test/Volo.Abp.Identity.Domain.Tests/Volo/Abp/Identity/OrganizationUnitManager_Tests.cs |
Adds tests for rejecting cross-tenant parents during create and move. |
modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/OrganizationUnitManager.cs |
Enforces parent tenant validation before assigning codes and persisting moves. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/zh-Hant.json |
Adds the new localized error string in Traditional Chinese. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/zh-Hans.json |
Adds the new localized error string in Simplified Chinese. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/vi.json |
Adds the new error string entry for Vietnamese localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/tr.json |
Adds the new error string entry for Turkish localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/sv.json |
Adds the new error string entry for Swedish localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/sl.json |
Adds the new error string entry for Slovenian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/sk.json |
Adds the new error string entry for Slovak localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/ru.json |
Adds the new error string entry for Russian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/ro-RO.json |
Adds the new error string entry for Romanian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/pt-BR.json |
Adds the new error string entry for Brazilian Portuguese localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/pl-PL.json |
Adds the new error string entry for Polish localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/nl.json |
Adds the new error string entry for Dutch localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/it.json |
Adds the new error string entry for Italian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/is.json |
Adds the new error string entry for Icelandic localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/hu.json |
Adds the new error string entry for Hungarian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/hr.json |
Adds the new error string entry for Croatian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/hi.json |
Adds the new error string entry for Hindi localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/fr.json |
Adds the new error string entry for French localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/fi.json |
Adds the new error string entry for Finnish localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/fa.json |
Adds the new error string entry for Persian localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/es.json |
Adds the new error string entry for Spanish localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/en.json |
Adds the base English error message for the new error code. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/en-GB.json |
Adds the UK English error message override for the new error code. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/el.json |
Adds the new error string entry for Greek localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/de.json |
Adds the new error string entry for German localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/cs.json |
Adds the new error string entry for Czech localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/Localization/ar.json |
Adds the new error string entry for Arabic localization. |
modules/identity/src/Volo.Abp.Identity.Domain.Shared/Volo/Abp/Identity/IdentityErrorCodes.cs |
Defines the new OrganizationUnitParentTenantMismatch error code constant. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## rel-10.3 #25357 +/- ##
============================================
+ Coverage 49.30% 49.77% +0.47%
============================================
Files 3667 3609 -58
Lines 123121 120708 -2413
Branches 9404 9218 -186
============================================
- Hits 60707 60085 -622
+ Misses 60590 58826 -1764
+ Partials 1824 1797 -27 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
EngincanV
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
OrganizationUnitManager.CreateAsyncandMoveAsyncaccepted anyparentIdwithout checking that the parent belongs to the same tenant as the OU being created or moved. From a tenant context, calling the API with aparentIdfrom another tenant succeeded and stored a cross-tenantParentIdreference in the database (Codewas calculated as a top-level code because the multi-tenant filter hid the parent during lookup, but the FK column itself crossed tenant boundaries).The manager now validates the parent's
TenantIdbefore create and move and throwsVolo.Abp.Identity:010010(OrganizationUnitParentTenantMismatch) when they don't match.