Switching CurrentTenant to user.TenantId in PasswordSignInAsync without refreshing IdentityOptions meant that lockout, password policy and other tenant-scoped options used host values during the base sign-in call. Call IdentityOptions.SetAsync inside the tenant switch so downstream checks use the user's tenant configuration.
- Override IdentityUserManager.FindByIdAsync to fall back to a cross-tenant lookup in shared user sharing strategy so any caller that hits FindByIdAsync from a non-matching tenant context (including base SignInManager internals for TwoFactorSignInAsync and TwoFactorRecoveryCodeSignInAsync) can still resolve a tenant user by id
- Drop the now-redundant AbpSignInManager.GetTwoFactorAuthenticationUserAsync override; the base implementation works automatically through the new FindByIdAsync behavior
- Cover the new FindByIdAsync behavior with unit tests
Guards against regressing the data-access contract behind the 2FA redirect bug: login must find a tenant user by user name from a host context, and the 2FA mid-flow must then resolve the same tenant user by id from the same host context.
Exercises the full cookie round-trip: writes a TwoFactorUserId cookie carrying a tenant user id, then verifies that AbpSignInManager.GetTwoFactorAuthenticationUserAsync returns the tenant user when CurrentTenant is null.
- Add IdentityUserManager.FindSharedUserByIdAsync to resolve a user by id across tenants in shared user sharing strategy
- Override AbpSignInManager.GetTwoFactorAuthenticationUserAsync to use it so the 2FA mid-flow can still find a tenant-scoped user when CurrentTenant is host
- Cover the new method with unit tests
- Replace FormattedStringValueExtracter.Extract with LastIndexOf in
PermissionGrantCacheItem and ResourcePermissionGrantCacheItem to
eliminate repeated string tokenization and object allocations on
every cache key parse (~12,000 calls per request with 4000+ permissions)
- Add fast-path in SimpleStateCheckerManager.InternalIsEnabledAsync to
skip DI scope creation when both StateCheckers and GlobalStateCheckers
are empty, avoiding thousands of unnecessary scope allocations
- Optimize PermissionChecker.IsGrantedAsync(string[]) and
ResourcePermissionChecker.IsGrantedAsync(string[], resourceName, resourceKey)
to load all permission definitions once via GetPermissionsAsync /
GetResourcePermissionsAsync instead of N individual GetOrNullAsync calls,
and use batch StateCheckerManager.IsEnabledAsync for state checking
- Optimize AbpApplicationConfigurationAppService.GetAuthConfigAsync to
pre-load all permission names into a HashSet for O(1) lookup instead
of N async GetOrNullAsync calls inside the loop
- Fix GetResourcePermissionsAsync to deduplicate by (ResourceName, Name)
instead of Name only, matching the actual uniqueness constraint of
resource permissions defined in PermissionDefinitionContext
Production impact (customer with 4000+ permissions): 10s+ -> ~682ms
Remove the ownership-based fallback that allowed post creators to delete their own posts in Detail.cshtml. Deletion now strictly requires BloggingPermissions.Posts.Delete, centralizing authorization on explicit permissions to enforce consistent access control.
Wrap JsonDocument usage in explicit using blocks for anonymous job handlers to ensure deterministic disposal and avoid capturing/disposal issues. Also rename the compile-time handler parameter from `context` to `ctx` to prevent potential shadowing. Changes applied to DemoAppSharedModule.cs and SampleJobCreator.cs.
Introduce AnonymousJobExecutionContext and switch anonymous job handler APIs to accept it (Func<AnonymousJobExecutionContext, CancellationToken, Task> / Action<AnonymousJobExecutionContext, CancellationToken>). Update AbpBackgroundJobOptions, IAnonymousJobHandlerRegistry, AnonymousJobHandlerRegistry and AnonymousJobExecutorAsyncBackgroundJob to use the new context and to obtain a cancellation token via ICancellationTokenProvider. Update all callsites (tests, demo module, sample job creator) and documentation to show registering/enqueuing anonymous handlers by name and explain Hangfire display behavior. Also add a .cursor hooks state file. The demo no longer skips enqueuing anonymous jobs for RabbitMQ in this change.
Make anonymous job JSON parsing more robust and fix DI registration for Quartz adapter. Add TryGetJobNameElement to accept both "JobName" and "jobName"; update anonymous job handlers to dispose JsonDocument and to prefer lowercase "value" with a fallback to "Value" for compatibility with different serializers. Also register a non-generic QuartzJobExecutionAdapter in DI and remove an extraneous BOM from a using line.
maliming
voloagent
Ahmet Çelik
Enis Necipoglu
SALİH ÖZKARA