Skip to content

#4956 — lock down ForTenant() conjoined-document tenant isolation#4958

Merged
mysticmind merged 1 commit into
masterfrom
tests/4956-for-tenant-conjoined-isolation
Jul 15, 2026
Merged

#4956 — lock down ForTenant() conjoined-document tenant isolation#4958
mysticmind merged 1 commit into
masterfrom
tests/4956-for-tenant-conjoined-isolation

Conversation

@jeremydmiller

Copy link
Copy Markdown
Member

What

Adds a regression suite (Bug_4956_for_tenant_conjoined_isolation, 5 tests) that pins the ForTenant() behavior matrix for conjoined (.MultiTenanted()) documents. No production code change.

Why

#4956 reports a regression from 9.12.0 → 9.15.x: a ForTenant() view of an identity session Store()s a conjoined document under one tenant, then reads it back through the base session (a different tenant) and no longer sees it.

This is the intended behavior established by #4801 / #4947:

The correct pattern for the reporter's code is to read through the same-tenant view: session.ForTenant(tenantId).LoadAsync(id), or open the session for the intended tenant.

Tests

  • base_session_cannot_see_other_tenants_pending_conjoined_write — the reporter's exact scenario returns null.
  • same_tenant_view_sees_its_own_pending_conjoined_write — correct pattern works.
  • committed_conjoined_write_is_only_visible_to_its_own_tenant — after SaveChanges, a fresh default-tenant session still can't load it, but ForTenant("t1") can (DB parity — not an identity-map artifact).
  • multiple_for_tenant_stores_all_commit_through_base_save_changes — several tenants' writes in one unit of work all commit, no cross-tenant bleed.
  • for_tenant_matching_base_tenant_shares_pending_writes_both_directions — the legitimate sharing case.

All green alongside the existing Bug_4801 and Bug_4947 suites (17/17).

Closes #4956.

🤖 Generated with Claude Code

#4956 reports a "regression": a ForTenant() view of an identity session that
Store()s a conjoined (MultiTenanted) document under one tenant, then reads it
back through the BASE session (a different tenant), no longer sees it. This is
the intended behavior of #4801/#4947 — a conjoined id is a different document
per tenant, so a session bound to tenant X must not resolve tenant Y's document.
Pre-9.13 the shared tenant-blind identity map leaked one tenant's uncommitted
write into another's view; #4801 tenant-scoped the map and #4947 restored sharing
only for tenancy-neutral documents. No code change — this adds a regression suite
that pins the ForTenant() matrix so the isolation and legitimate sharing cases
can't silently drift again.

Covers: base-session cross-tenant read returns null (pending + committed/DB
parity), same-tenant view sees its own pending write, multiple ForTenant stores
all commit through one base SaveChanges with no cross-tenant bleed, and
same-tenant ForTenant sharing in both directions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Regression - IdentitySessions - ForTenant issue with store in tenant scoped session

2 participants