From 8ffabad1e439d17ea9ebcf9d54ca525d49b5a09c Mon Sep 17 00:00:00 2001
From: Christian Richter <c.richter@opencloud.eu>
Date: Wed, 29 Oct 2025 17:13:41 +0100
Subject: [PATCH] check tennantId

Signed-off-by: Christian Richter <c.richter@opencloud.eu>
---
 services/graph/pkg/identity/cache.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/services/graph/pkg/identity/cache.go b/services/graph/pkg/identity/cache.go
index b5ff44e3fd..0d149242f0 100644
--- a/services/graph/pkg/identity/cache.go
+++ b/services/graph/pkg/identity/cache.go
@@ -91,6 +91,9 @@ func (cache IdentityCache) GetUser(ctx context.Context, tennantId, userid string
 	if err != nil {
 		return libregraph.User{}, err
 	}
+	if tennantId != u.GetId().GetTenantId() {
+		return libregraph.User{}, ErrNotFound
+	}
 	return *CreateUserModelFromCS3(u), nil
 }
 
@@ -111,9 +114,17 @@ func (cache IdentityCache) GetCS3User(ctx context.Context, tennantId, userid str
 			}
 			return nil, errorcode.New(errorcode.GeneralException, err.Error())
 		}
-		cache.users.Set(userid, user, ttlcache.DefaultTTL)
+		// check if the user is in the correct tenant
+		// if not we need to return before the cache is touched
+		if user.GetId().GetTenantId() != tennantId {
+			return nil, ErrNotFound
+		}
 
+		cache.users.Set(userid, user, ttlcache.DefaultTTL)
 	} else {
+		if user.GetId().GetTenantId() != tennantId {
+			return nil, ErrNotFound
+		}
 		user = item.Value()
 	}
 	return user, nil