The GitHub patch explicitly adds 'self.assert_admin(context)' to the update_user_tenant method, indicating this was the missing authorization check. The vulnerability description matches this pattern - unauthorized API requests could modify tenant memberships despite the 401 response, which aligns with the pre-patch behavior where the authorization check was absent in this function but tenant modification still occurred.