Tenant Filtering
Documentation of how tenant-scoped data isolation is enforced at the ORM level, including intentional bypasses and their justifications.
How Tenant Filtering Worksβ
All entities extending TenantBaseEntity or TenantOrganizationBaseEntity are automatically scoped by tenantId:
// TenantAwareCrudService automatically adds:
// WHERE tenant_id = :currentTenantId
const employees = await this.employeeService.findAll();
// Returns only employees for the authenticated user's tenant
Automatic Filteringβ
Services that extend TenantAwareCrudService automatically inject the current user's tenantId into:
find()/findAll()β SELECT queriesfindOne()β single record queriescreate()β INSERT operations (sets tenantId)update()β UPDATE operations (scoped by tenantId)delete()β DELETE operations (scoped by tenantId)
Intentional Bypassesβ
Some scenarios intentionally bypass tenant filtering. Every bypass must be documented and justified.
Category 1: Cross-Tenant by Designβ
These services must query across all tenants as part of their core functionality:
| Service | Justification |
|---|---|
TenantService.findAll() | Super Admin listing all tenants |
UserService.findByEmail() | Email lookup during login (pre-auth) |
AuthService.validateUser() | Authentication (no tenant context yet) |
HealthService.check() | System health check (no tenant context) |
Category 2: Manual QueryBuilder Usageβ
Services using createQueryBuilder() bypass automatic tenant scoping and must manually include tenantId:
// β
CORRECT β includes tenant_id filter
const result = await this.repository
.createQueryBuilder("employee")
.where("employee.tenantId = :tenantId", {
tenantId: RequestContext.currentTenantId(),
})
.getMany();
// β WRONG β missing tenant_id filter
const result = await this.repository.createQueryBuilder("employee").getMany();
Category 3: Plugin Servicesβ
Integration plugins that sync external data may operate outside standard tenant context:
| Plugin | Justification |
|---|---|
| GitHub Integration | Webhook handlers receive data without user context |
| Upwork Integration | Background sync jobs with stored credentials |
| Job Search | Cross-tenant job matching |
Category 4: Base Class Internalβ
Internal methods in CrudService and TenantAwareCrudService that implement the filtering logic itself:
| Method | Justification |
|---|---|
CrudService.findAll() | Base implementation without tenant scope |
CrudService.findOne() | Overridden by TenantAwareCrudService |
Audit Rulesβ
New Servicesβ
All new services must:
- Extend
TenantAwareCrudService(default) - Or document the bypass with justification
- Never use raw
Repositorywithout tenant filtering
Manual QueryBuilderβ
All createQueryBuilder usages must:
- Include
.where('entity.tenantId = :tenantId', { tenantId })clause - Use
RequestContext.currentTenantId()for the tenant ID - Be audited for tenant isolation compliance
Code Review Checklistβ
- β
Does the service extend
TenantAwareCrudService? - β
If using
createQueryBuilder, istenantIdin the WHERE clause? - β If bypassing tenant filtering, is there a documented justification?
- β Are plugin services properly scoped when handling multi-tenant data?
- β Do background jobs use stored tenant context?
Configurationβ
Super Admin Cross-Tenant Accessβ
# Allow Super Admin to query across tenants
ALLOW_SUPER_ADMIN_ROLE=true
Super Admin users can access the TenantController to list and manage all tenants.
Maintenance Guidelinesβ
Adding a New Bypassβ
- Document the service, method, and justification in this page
- Add a code comment explaining the bypass
- Ensure Super Admin or system-level authorization is in place
- Submit for code review with explicit security review
Auditing Existing Bypassesβ
Periodically audit all services for:
- Unauthorized
Repository.find()usage (bypasses tenant filter) - Missing
tenantIdincreateQueryBuilderqueries - New plugin services without documentation
- Deprecated bypasses that can be removed
Related Pagesβ
- Multi-Tenancy β tenant architecture
- Roles & Permissions β RBAC
- Database Overview β general database info