Models:

class Tenant < ActiveRecord::Base
  has_many :userroles
  has_many :users, through: :userroles
  has_many :roles, through: :userroles
  has_many :admins, -> { joins(:roles).where("roles.name = 'admin'").uniq }, through: :userroles, class_name: 'User', source: :user
end

class Role < ActiveRecord::Base
  has_paper_trail
  acts_as_paranoid
  has_many :userroles, :dependent => :destroy
  has_many :users, :through => :userroles
end

class Userrole < ActiveRecord::Base
  acts_as_tenant(:tenant)
  has_paper_trail
  belongs_to :user
  belongs_to :role
end

When current_tenant doesn't set my code work right, but if I set current_tenant, I got errors. In console I got those errors:

2.1.0 :001 > ActsAsTenant.current_tenant
 => nil 
2.1.0 :002 > t = Tenant.first
2.1.0 :004 > t.admins.count
   (1.5ms)  SELECT DISTINCT COUNT(DISTINCT "users"."id") FROM "users" INNER JOIN "userroles" "userroles_users_join" ON "userroles_users_join"."user_id" = "users"."id" INNER JOIN "roles" ON "roles"."id" = "userroles_users_join"."role_id" AND "roles"."deleted_at" IS NULL INNER JOIN "userroles" ON "users"."id" = "userroles"."user_id" WHERE "users"."deleted_at" IS NULL AND "userroles"."tenant_id" = $1 AND (roles.name = 'admin')  [["tenant_id", 1]]
 => 1 
2.1.0 :005 > ActsAsTenant.current_tenant = t
2.1.0 :006 > t.admins.count
   (2.6ms)  SELECT DISTINCT COUNT(DISTINCT "users"."id") FROM "users" INNER JOIN "userroles" "userroles_users_join" ON "userroles_users_join"."user_id" = "users"."id" AND (userroles.tenant_id = 1) INNER JOIN "roles" ON "roles"."id" = "userroles_users_join"."role_id" AND "roles"."deleted_at" IS NULL INNER JOIN "userroles" ON "users"."id" = "userroles"."user_id" WHERE "users"."deleted_at" IS NULL AND "userroles"."tenant_id" = $1 AND (userroles.tenant_id = 1) AND (roles.name = 'admin')  [["tenant_id", 1]]
PG::UndefinedTable: ERROR:  invalid reference to FROM-clause entry for table "userroles"
LINE 1: ...erroles_users_join"."user_id" = "users"."id" AND (userroles....
                                                             ^
HINT:  Perhaps you meant to reference the table alias "userroles_users_join".
: SELECT DISTINCT COUNT(DISTINCT "users"."id") FROM "users" INNER JOIN "userroles" "userroles_users_join" ON "userroles_users_join"."user_id" = "users"."id" AND (userroles.tenant_id = 1) INNER JOIN "roles" ON "roles"."id" = "userroles_users_join"."role_id" AND "roles"."deleted_at" IS NULL INNER JOIN "userroles" ON "users"."id" = "userroles"."user_id" WHERE "users"."deleted_at" IS NULL AND "userroles"."tenant_id" = $1 AND (userroles.tenant_id = 1) AND (roles.name = 'admin')
ActiveRecord::StatementInvalid: PG::UndefinedTable: ERROR:  invalid reference to FROM-clause entry for table "userroles"

because

where("#{self.table_name}.#{fkey} = ?", ActsAsTenant.current_tenant.id)  if ActsAsTenant.current_tenant

https://github.com/ErwinM/acts_as_tenant/blob/master/lib/acts_as_tenant/model_extensions.rb#L56

What should I do? I need tenanted Userroles models, so I can't exclude acts_as_tenant from them (such as delete default scope).

I am trying to use acts_as_tenant in a test/guide application that uses and rails gem/engine Plutus.

I've got it semi- working, but have ran into a few few problems that I posted on StackOverflow.

Don't know if this has been tried before (using AoT in an engine engine) but could't find anything in the issues or web. If you can point me in a direction I'd be grateful.

Are the values in belongs_to association also validated to check if they belong to the same tenant ?

EXAMPLE :
Lets say there are 2 models as follows:

ARTICLE with id, tenant_id columns
COMMENT with id, article_id and tenant_id columns
ARTICLE has many COMMENTS and COMMENTS belongs to ARTICLE
There are 2 articles in database :
Article ( :id => 1, :tenant_id => 10)
Article ( :id => 2, :tenant_id => 8)

Now,
Comment.create! ( :article_id => 1, :tenant_id => 10) # This works since article #1 belongs to tenant #10

However,
Comment.create! ( :article_id => 2, :tenant_id => 10) # This still works even if article #2 does NOT belong to tenant #10
Shouldn't this fail since comment is being associated to an article that belongs to another tenant ?

Without this check, a malicious user can associate objects belonging to other tenants (and not within his tenant)....

Great Work!
Really thank you.

Erwin. and then I want the sample project of using acts_as_tenant gem.

The best way is to use the sample project, I think.

I have an issue where I can filter the data belonging to each tenant as expected, however, when there is no subdomain or www is used I can see all the data from all tenants. For example, if I create a new account with a subdomain of 'green' and create a new user and equipment all the data is associated with the account where "green" is the subdomain. Which is perfect. When I create another account with "sample" it works the same and no data from "green" is shown. This is perfect. However, when I use www. or no subdomain, I can log in as any user and see all the data from the tenants.

I would prefer that if someone goes to www.mydomain.com or mydomain.com they could not log in and see all the data. I can use a before_filter by the subdomain, but that renders www.mydomain.com and mydomain.com useless and there is by default no opportunity for a user to create an account. The only good thing about this is that only "green" and "sample" accounts can see their respective data.

I have search high and low for a solution to this but to no avail. Please advise.

I'm fairly new to rails in general (i know... where have I been all these years) but am trying to understand the best way to implement this type of environment...

Say a user logs in and is under a subdomain like 'mybusiness.domainname.com' and that will filter the records he sees based on tenant_id... which i have working just fine...
However, what would it take to do some sort of selectable 'location' of mybusiness...

Say for instance, I determine this user has access to 2 of our business locations...
So he selects one of those locations, it would then set some sort of session saying he's within the context of that 'location' now and all queries should filter based on that location, instead of globally amongst both of his accessible locations? Make sense?

Would that be something I should look elsewhere for or could I some how merge this concept with it somehow?

My acts_as_tenant usage:

class Domain < ActiveRecord::Base
  has_many :users
end

class User < ActiveRecord::Base
  acts_as_tenant(:domain)
  # devise stuff
end

class ApplicationController < ActionController::Base
  set_current_tenant_through_filter
  before_filter :set_tenant
  protect_from_forgery

  def set_tenant
    @domain = Domain.find_or_create_by_name(request.host)
    set_current_tenant(@domain)
  end
end

Configuration

Configure session_store with active_record_store or cookie_store, with or without key and domain: '.domain.tld' does not change anything.

Step to reproduce:

1. When I go to domain1.domain.tld
   When I sign-up or sign-in
   Then I am signed-in, OK
2. When I go to domain2.domain.tld
   Then I am not signed-in, OK
3. When I go again to domain1.domain.tld
   Then I should not be signed-in, KO

Ideal use case

1. When I go to domain1.domain.tld
   When I sign-up or sign-in as Dummy1
   Then I am signed-in as Dummy1
2. When I go to domain2.domain.tld
   Then I am not signed-in
   When I sign-up or sign-in as Dummy2
   Then I am signed-in as Dummy2
3. When I go again to domain1.domain.tld
   Then I am signed-in as Dummy1

Hello,

Do I need a compound index on each table? For example an index for account_id (tenant) and project_id on a Project model? Right now I have individual ones for each of them.

Okay, this is more about my implementation than an actual issue with the gem, but thought I would raise it here an see if anyone watching has a solution...
I am not using subdomains, but rather a relation between the current_user (I am using sorcery) and the tenant model, so the tenant is not set until the user logs in (I think the new basecamp takes a similar approach). The problem is that "current_user" method has not been set up at the point of calling set_current_tenant_to, so it fails. session[:user_id] doesn't work because the session is not set up and neither is "cookies". Any ideas?
Many Thanks!

Hi,
Below is a rspec test that successfully passes. I am wondering is there a way to raise an error if account_id is set to something different from current_tenant.id

it "automatically sets tenant id" do
ActsAsTenant.current_tenant = Account.create!(:name => 'foo')
@account2 = Account.create!(:name => 'baz')
Project.create!(:name => "New Project", :account_id => @account2.id).account_id.should eq ActsAsTenant.current_tenant.id
end

Ritesh

I have the following two models:

class EmailTemplate < ActiveRecord::Base
  acts_as_tenant :organization
end

class Organization < ActiveRecord::Base
end

This worked when using ActsAsTenant version 0.2.9 but fails with the latest version 0.3.4

EmailTemplate.first.organization
# We expect this to return an Organization instance, which it did before

Now it simply raises an error:

NoMethodError: super: no superclass method `organization' for #<EmailTemplate:0x007fde7d8cda58>
from /Users/thomas/.rbenv/versions/1.9.3-p194-perf/lib/ruby/gems/1.9.1/gems/activemodel-3.1.12/lib/active_model/attribute_methods.rb:385:in `method_missing'

We're using rails 3.1.12 and ruby 1.9.3p194

I'd like to be able to do something like

belongs_to :tenant, :foreign_key => "tenant_col"
acts_as_tenant :tenant

But no matter what I end up with "tenant_id" in the generated SQL WHERE clause.

Is there any way to get acts_as_tenant to use the :foreign_key specified on the existing belongs_to relationship?

I use with_tenant to calculate a value, scoped by a different tenant.

x = ActsAsTenant.with_tenant(@account) do
  return "some value"
end

However, the return statement inside the block will return from the entire with_tenant method and therefore prevent the tenant to be reset to the old tenant.

What other ways is there to get the value from the block?

ATM with_tenant itself returns the old_tenant.
Would it break the API if with_tenant would return the value of the block instead?

This validation hits the db (even if the model is already loaded)
When saving hundreds of tenanted entities this is expensive.

Why do we have this validation ? what is the initial requirement ?
Do you see a way to prevent hitting the db ?

• http://apidock.com/rails/ActiveRecord/IdentityMap and check if the associated model is tenanted and hold the current tenant value ?

I'm trying to make a "super tenant" that can see data from all tenants, not a parent child relationship, just a master system that has no rules.

I'm using activeadmin, and the only one I would want enforced for the "system" tenant is the admin_user model.

The login still needs to use acts_as_tenant, but the rest of them don't once you're authenticated...?

What would be the quickest way to pull this off you think?

Hi,

I am having the following issue (using the spec example from your code).

class Account < ActiveRecord::Base
    has_many :projects
end

class Project < ActiveRecord::Base
    has_many :tasks
    acts_as_tenant :account
end

class Task < ActiveRecord::Base
    belongs_to :project
    acts_as_tenant :account
end

If I attempt to add a task without it belonging to a project the following SQL is run

t = Task.new(:name => "test")
t.save

SELECT COUNT(*) FROM "projects" WHERE "projects"."id" IS NULL 
    => false 

and the task is not saved. This is happening as well when I use accepts_nested_attributes_for within my model. I'm assuming rails is saving the Task before the Project and therefor creating this error.

Thanks for the gem and your help!

https://github.com/ErwinM/acts_as_tenant/blob/master/lib/acts_as_tenant/model_extensions.rb#L57-L61

before_validation Proc.new {|m|
  if ActsAsTenant.current_tenant
    m.send "#{association}_id=".to_sym, ActsAsTenant.current_tenant.id
  end
}, :on => :create

Currently accociation_id is set with a before_validation call. I suggest to replace it with an after_initialize call. This way the association is available even earlier.

after_initialize do
  if ActsAsTenant.current_tenant
    m.send "#{association}_id=".to_sym, ActsAsTenant.current_tenant.id
  end unless m.send("#{association}_id".to_sym).present?
end

What do you think about this idea?

I am using your great gem for multi tenancy purposes and also for switching users for superuser role users. I.e. superusers can act as any other tenant and create/edit/etc records for different account. But I faced the following problem: I am also recording created_by/updated_by. Obviously superusers belong to a particular account/tenant. And when created_by/updated_by populated (setting to superuser's tenant_id) it's either not visible by other users or it doesn't allow to update (throwing "Created by association is invalid [ActsAsTenant]" exception).

Ideally I need to have tenant_id = nil for superuser but I doubt it's gonna work. Any idea how to approach/fix the problem?

In my app, I have an Account, and a User that belongs_to Account. Account then has_many widgets, and Widget has_many Orders.

They form a sort of tree, and it seems a bit redundant to me to require any new model within that tree to have an account_id. My current ad-hoc solution is to simply go current_user.account.widgets to scope them, but I do see the downside that I may use Widget.find somewhere and expose some other Account's widgets.

I guess where my rambling is going, is I'm wondering if there is any way to modify acts_as_tenant to use my associations to do the scoping, instead of requiring an account_id. Or am I missing something else, and this is a terrible idea? I suppose there is a bit of a performance overhead of following the associations, but I plan to fetch them all in one query anywhere, where necessary.

I have a non-tenant table ("called services") and a tenant-table ("called service_texts").
When I do a join, then the scope on the tenant is not triggered.

The Explain string is:

SELECT "services".* FROM "services" INNER JOIN "service_texts" ON "service_texts"."service_id" = "services"."id"

Is there a way, that the Gem also scopes on these kind of queries?

If I don't, I get a ActsAsTenant::Errors::NoTenantSet

I'm having real issues in trying to grab the current_user from devise, determine the account id from here and then pass this as a variable to the set_current_tenant_to method.

In my application controller I have:

class ApplicationController < ActionController::Base

  protect_from_forgery # See ActionController::RequestForgeryProtection for details      
  helper :all # include all helpers, all the time

  def get_current_account_id
    current_account_user = current_user
    current_account_id = current_account_user.account_id
    current_account_id
  end

  current_account = Account.find(get_current_account_id)
  set_current_tenant_to(current_account)

I know that the get_current_account_id deduces the correct account_id because when I place it in the a before_filter call I can see in the logs it outputs the correct figure. However when I run this I get the following error:

Routing Error

undefined local variable or method `get_current_account_id' for ApplicationController:Class

Any idea how I can get this to work?

Posted this on stackoverflow too but figured I better get to the bottom of this on here too..
http://stackoverflow.com/questions/17196434/how-to-build-associated-records-before-tenant-class-is-saved-with-acts-as-tena

Example...

I have a class called client which is my tenant model.

I have associated records to save along with each new client that gets created.
Let's call them tasks.

I created an after_initialize callback inside of client that calls a method called build_defaults which does the following...

def build_defaults
self.tasks.build(
  Task.new({
    :name => 'task 1',
    :description => 'task 1 desc',
    :view_module => 'task_1_template'
  }),
  Task.new({
    :name => 'task 2',
    :description => 'task 2 desc',
    :view_module => 'task_2_template'
  }),
  Task.new({
    :name => 'task 3',
    :description => 'task 3 desc',
    :view_module => 'task_3_template'
  }),
  Task.new({
    :name => 'task 4',
    :description => 'task 4 desc',
    :view_module => 'task_4_template'
  }),
  Task.new({
    :name => 'task 5',
    :description => 'task 5 desc',
    :view_module => 'task_5_template'
  })
)
end

The task class is setup as acts_as_tenant :client

When I go to do @client = new Client( :name => "Test Client" )
It raises ActsAsTenant::Errors::NoTenantSet: ActsAsTenant::Errors::NoTenantSet

Is there a way to conditionally bypass acts_as_tenant's check when it's a new_record? or a better way to handle this type of thing?

I'm fairly new to rails / ruby as of a few months ago...?

UPDATE

Well, I figured out if I change it to an "after_create" and set ActsAsTenant.current_tenant = self within the method I can do self.tasks.create! calls... but not sure if overriding ActsAsTenant.current_tenant is a good idea?

  after_create :build_defaults
  def build_defaults
    ActsAsTenant.current_tenant = self
    self.tasks.create!({
      :name => 'Facebook > Page Like',
      :description => 'Request that they like your page.',
      :view_module => 'facebook_page_like'
    })
    self.tasks.create!({
      :name => 'Facebook > Share',
      :description => 'Share a link on Facebook',
      :view_module => 'facebook_share_link'
    })
    self.tasks.create!({
      :name => 'Twitter > Tweet',
      :description => 'Post a tweet on a user behalf.',
      :view_module => 'twitter_tweet'
    })
    self.tasks.create!({
      :name => 'Twitter > Follow',
      :description => 'Follow the company twitter user.',
      :view_module => 'twitter_follow'
    })
    self.tasks.create!({
      :name => 'Giveaway Share',
      :description => 'This allows you to earn 5 extra entries by re-sharing this giveaway.',
      :view_module => 'giveaway_share'
    })
  end

0.3.4 is not on RubyGems yet

Hello,

I am creating an account and a user (using nested attributes, has_many through). The problem is that the account_id is not set in the user record. Is there a way to set account_id (tenant column) manually? I tried it but I get an immutable error.

Just letting you know the url is typoed:
rolll vs roll

should be http://www.rollcallapp.com/blog

Thanks for this gem BTW!

Hi,

It doesn't look like AaT supports "multiple" tenants out of the box, unless I'm missing something. For instance, say you want to have an :account tenant as well as a :reseller tenant.

Is this something anyone else might want/need? I could fork AaT and try to add it. Any thoughts on a strategy? Seems like we may be able to add sort of "key" option to ActsAsTenant.current_tenant.

Thanks.

When I use the has_and_belongs_to_many association in the model having act_as_tenant, I got the internal server error. Actually, it is an NoMethodError (undefined method ... ). So, I don't the problem. Please help me to verify. Thanks

Hi,

I have a question regarding using acts_as_tenant.

I have a model that have organization and sub_organization in the same table.

• OrganiazationModel
• id - sub_id - name

The relationship to the organization/sub_organization model is done through

• CarModel [acts_as_tenant :organiazation]
• organization_id - name

Now I want to use acts_as_tenant but I don't know if I can use it in my purpose.

Now I do this:

• acts_as_tenant.current_tenant = current_root_organiaztion

But this does not allow me to do anything with the sub_organization, only root_organization.

Is there something I can do so I don't need to add one extra column for CarModel

• CarModel
• id - organization_id - tenacy_id

If I'm using tenant for the wrong purpose then please tell me, and I will try to find another way.

I have a question. If I want to by-pass the tenant scope in some actions in controllers, what should I do? There are some queries that I don't want to be scoped. Please guide me to this problem. Thank you.

Hi There I would like to use acts_as_tenant with the rails-api gem - currently when I inherit from ActionController::API only - the method
set_current_tenant_through_filter
is not recognised. My current work around is to use the whole module stack by inheriting from ActionController::Base - but this is not ideal for performance of my api. I have used the acts_as_tenant gem for the main app and the api I am currently working on is going to handle the mobile apps I am working on. I would really appreciate your input as to the exact modules I need to inherit from as a minimum rather than inheriting from ::Base - which is going to be much slower.

THANKS

Steve

When I use Devise and your gem with setting manually the current tenant in the controller,
then sessions of users of other tenants are destroyed when an user of a different tenant logs in.
I reproduced it a blank application. That's my ApplicationController:

class ApplicationController < ActionController::Base
protect_from_forgery
set_current_tenant_through_filter
before_filter :find_the_current_tenant
before_filter :authenticate_user!

def find_the_current_tenant
if current_user
set_current_tenant(current_user.tenant)
else
set_current_tenant(nil)
end

end
end

Hi,

The following line needs to be changed:

          ActsAsTenant.current_tenant = tenant_class.where(tenant_column => request.subdomains.first).first

to

          ActsAsTenant.current_tenant = tenant_class.where(tenant_column => request.subdomains.last).first

... if you want to support the correct subdomain in the set_current_tenant_by_subdomain( ) method of the ControllerExtensions module.

You may want to let the user choose this - either by overriding (with their own filter, assigning to ActsAsTenant.current_tenant) or monkey-patching, rather than modifying the source of acts_as_tenant.

Another option is to give the user another filter to call (set_current_tenant_by_subdomain_only( ) ? ) that switches to the other behaviour.

Cheers,

Nigel

Is this gem compatible with other ODM like mongoid?

I know more of a devise question but..

I'm using devise and it seems the devise controllers don't inherit from ApplicationController (???) so don't have access to set_current_tenant_by_subdomain

When the password reset link is clicked I get no Tenant scoping by subdomain.

So how do you handle this? Is there an easy way to open up the DeviseControllers to ensure
set_current_tenant_by_subdomain is called?

Thanks so much

I have a field called request_closed in my Tenant record.

In the Request model, I would like to be able to use that field.

I tried this:

statusclosed = ActsAsTenant.current_tenant.request_closed
scope :notclosed, where("statuscode_id < ?", statusclosed )

And

statusclosed = current_tenant.request_closed

How can I access a current tenant record in a model?

Any tips?

ActsAsTenant::Errors::NoTenantSet
Some of them include:
/users/password/edit
/users/edit

Any help is appreciated...

This still seems to be an issue after 0.2.8.

I'm using AaT(0.2.9), Rails (3.2.9), Ruby(1.9.3) and whenever I set my tenant in a before filter, all users are logged out in devise. Any thoughts?

Update One:
The offending code is here

default_scope lambda {
where({fkey => ActsAsTenant.current_tenant.id}) if ActsAsTenant.current_tenant
}

Update Two:
My scenario might not be typical, I need the user to determine the tenant. This led to a circular reference based on the current implementation of the Gem.

• In order to build the current_user properly, we need the tenant.
• In order to get the tenant, we need the current_user

Initially:
-Devise would try to build the current_user, and the tenant would be set to whatever the tenant was from the last request.
-The current_user wasn't a tenant of the last tenant, so the user session would be destroyed and the user would be redirected.

I fixed this by:

• Setting the current_tenant to nil upon the beginning of each request.
• Loading the current_user (since the tenant has been set to nil, the current_user can load properly)
• Loading the tenant based on the current_user

It seems like current_tenant should not carry over though across requests....

I wonder what's going on here...
Wondering if it's bypassing the applicationcontroller somehow?

:-/

Some motivation for creating this type of multi-tenancy with multiple databases?

Is there a way to define scopes on two different levels?

E.g. in SAP software there is a distinction between a client view (same customizing and some other shared data) and the various companies of this client.

Some tables must be scoped by the client view and other tables must be scoped by the company view.

Is there a way to do it with ActsAsTenant?

I get the following error message in my tests since upgrading from v0.3.1 to v0.3.3

undefined method `id' for nil:NilClass

I guess the fault lies in https://github.com/ErwinM/acts_as_tenant/blob/master/lib/acts_as_tenant/model_extensions.rb#L97

define_method "#{ActsAsTenant.tenant_klass.to_s}" do
  return ActsAsTenant.current_tenant if send(fkey) == ActsAsTenant.current_tenant.id
  super()
end

ActsAsTenant.current_tenant could be nil

I would have another request to you which is not worth an issue: Could you please run git push origin --tags. I would like to use the following URL to check for changes on gems I depend on: v0.3.1...v0.3.3

I would love be able to do things like that:

acts_as_tenant :account, counter_cache: true

Is it possible ? At the moment, I just explicit the belongs_to:

acts_as_tenant :account
belongs_to :account, counter_cache: true

But I'm a n00b... is there like a variable that gets set for a Tenant when it's set?
Like, can I access the columns of the model somehow without re-querying for it?

Hello,

First, thanks for the gem. It works great at keeping things separate. However, that is also becoming my problem. I want to allow an user with the admin role to log on as another, non-admin user, for troubleshooting and whatnot. I found a gem that works great at that 'switch_user', but when it comes to impersonating a user on another subdomain, I can't do it.

Is there a way to force acts_as_tenant to ignore tenancy for a certain class/type of user so I can accomplish this?

Thank you!

I need a way to have different email templates for different tenants and also different locale files per tenant. For example when a new tenant added - it should use the default translations. Any ideas?

Hello,

A minor bug :

validates_uniqueness_to_tenant :attribute1, scope: :attribute2

does not work. It raises :

undefined method `<<' for :attribute2:Symbol`

so I have to change this to :

validates_uniqueness_to_tenant :attribute1, scope: [:attribute2]

Rails AR handle both symbol and array. Awesome gem by the way, thank you!

When using thin or unicorn Thread.Current isn't guaranteed to be cleared between requests, so you could end up having a tenant set when you don't want it set. As per this SO Question

There seems to be two solutions here:

1. Add a note to the readme to create a before_filter that sets the current_tenant to nil if you aren't explicitly setting a tenant for each request
2. Use something like RequestStore as referenced in this rails issue thread

Thoughts?

I have models:

class User < ActiveRecord::Base
  has_many :userroles
  has_many :roles, :through => :userroles
end

class Role < ActiveRecord::Base
  has_many :userroles, :dependent => :destroy
  has_many :users, :through => :userroles
end

Only this model should be tenanted

class Userrole < ActiveRecord::Base
  acts_as_tenant(:tenant)

  belongs_to :user
  belongs_to :role
end

When I try get User.first.roles I get this:

2.0.0-p195 :001 > ActsAsTenant.current_tenant = Tenant.find 1
  Tenant Load (4.2ms)  SELECT "tenants".* FROM "tenants" WHERE "tenants"."id" = $1 LIMIT 1  [["id", 1]]
 => #<Tenant id: 1, name: "Tenant AAA", subdomain: "a", tenant_id: nil, created_at: "2013-10-11 09:23:53", updated_at: "2013-10-11 09:23:53">
2.0.0-p195 :002 > User.first.roles
  User Load (1.6ms)  SELECT "users".* FROM "users" WHERE "users"."deleted_at" IS NULL ORDER BY "users"."id" ASC LIMIT 1
  Role Load (1.7ms)  SELECT "roles".* FROM "roles" INNER JOIN "userroles" ON "roles"."id" = "userroles"."role_id" WHERE "roles"."deleted_at" IS NULL AND "roles"."tenant_id" = 1 AND "userroles"."user_id" = $1  [["user_id", 1]]
 => #<ActiveRecord::Associations::CollectionProxy []>
2.0.0-p195 :003 > User.first.roles.to_sql
  User Load (0.8ms)  SELECT "users".* FROM "users" WHERE "users"."deleted_at" IS NULL ORDER BY "users"."id" ASC LIMIT 1
 => "SELECT "roles".* FROM "roles" INNER JOIN "userroles" ON "roles"."id" = "userroles"."role_id" WHERE "roles"."deleted_at" IS NULL AND

"roles"."tenant_id" = 1 
AND "userroles"."user_id" = $1"
2.0.0-p195 :004 >

But it should be like this:

"SELECT "roles".* FROM "roles" INNER JOIN "userroles" ON "roles"."id" = "userroles"."role_id" WHERE "roles"."deleted_at" IS NULL AND
 "userroles"."tenant_id" = 1 
AND "userroles"."user_id" = $1"