joeaudette
commented
7 years ago Users and roles are separate per site by default. A user from one site cannot login to another site without first registering in the other site and you can configure whether self serve public registration is allowed on a site by site basis from the site settings. Registering on a site does not give a user any roles so it does not grant access to any protected area such as the admin section, only users with the administrators role within the site can access that.
I think what you are talking about is that users can view the home page of any site. That is because the home controller is not protected by any authorization policy, it is just the standard home controller created by visual studio project template. You could protect it by defining a policy and decorating the controller class or specific action methods with an AuthorizeAttribute and a policy name.
To answer your question more fully, I've added a new section "Managing Sites" to the Multi Tenant Support wiki page
please read that and if you still have questions let me know and I'll try to clarify more.
Is there a way to limit users by tenant? Currently in the starter projects we can log in as a user and view the different sites. Is there a way that a user can only go to localhost/s1 versus localhost/s2? Thanks