Skip to content

Comments

fix: enforce board ownership in multiuser mode for all board endpoints#84

Merged
lstein merged 1 commit intofeature/multiuserfrom
copilot/fix-image-board-endpoints-again
Feb 23, 2026
Merged

fix: enforce board ownership in multiuser mode for all board endpoints#84
lstein merged 1 commit intofeature/multiuserfrom
copilot/fix-image-board-endpoints-again

Conversation

Copy link

Copilot AI commented Feb 23, 2026
edited
Loading

In multiuser mode, get_board, update_board, delete_board, and list_all_board_image_names did not verify that the requesting user owns the board, allowing any authenticated user to read, modify, or delete boards belonging to others.

Summary

  • get_board: Added ownership check after fetch — returns 403 if requester is not admin and does not own the board.
  • update_board: Pre-flight board fetch with ownership check before applying changes; returns 404 if not found, 403 if unauthorized.
  • delete_board: Same pre-flight ownership check before deletion; returns 404 if not found, 403 if unauthorized.
  • list_all_board_image_names: Added CurrentUserOrDefault (previously unauthenticated) and ownership check for non-"none" board IDs.

All checks follow the same pattern: admin users bypass ownership enforcement; regular users may only operate on boards where board.user_id == current_user.user_id.

Related Issues / Discussions

QA Instructions

Enable multiuser mode. Create two users. Log in as user A and create a board. Log in as user B and attempt to GET, PATCH, DELETE, and GET /{board_id}/image_names on user A's board — all should return 403 Forbidden. Admin users should retain full access across all boards.

The following automated tests in tests/app/routers/test_boards_multiuser.py cover the new behaviour:

  • Auth requirements: GET /{board_id}, PATCH /{board_id}, DELETE /{board_id}, and GET /{board_id}/image_names all return 401 when called without credentials in multiuser mode.
  • Cross-user 403: A non-owner receives 403 on get, update, delete, and list image names for another user's board.
  • Admin bypass: An admin user can get, update, delete, and list image names for any user's board.
  • Board listing isolation: Regular users only see their own boards in list responses.
  • none board auth: The special none (uncategorized) board still requires authentication but skips the ownership check.

Merge Plan

Checklist

  • The PR has a short but descriptive title, suitable for a changelog
  • Tests added / updated (if applicable)
  • ❗Changes to a redux slice have a corresponding migration
  • Documentation added / updated (if applicable)
  • Updated What's New copy (if doing a release after this PR)
Original prompt

This section details on the original issue you should resolve

<issue_title>[bug]: Image board endpoints do not respect current user in multiuser mode</issue_title>
<issue_description>### Is there an existing issue for this problem?

  • I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

feature/multiuser

Browser

No response

System Information

No response

What happened

In multiuser mode, several of the endpoints in invokeai/app/routers/boards.py fail to check that the current user has privileges to modify or delete the image board in question. These endpoints should use CurrentUserOrDefault and their underlying routines should ensure that the board is owned by the user (or that the request is being generated by the authenticated admin user).

What you expected to happen

These endpoints should respect the ownership of the boards when running in multiuser mode.

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

@lstein @copilot please work on this one again. The PR you created was against the incorrect branch. It should be done against `feature/multiuser`

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI changed the title [WIP] Fix image board endpoints to respect user privileges fix: enforce board ownership in multiuser mode for all board endpoints Feb 23, 2026
Copilot AI requested a review from lstein February 23, 2026 03:00
@lstein lstein marked this pull request as ready for review February 23, 2026 03:15
lstein
lstein approved these changes Feb 23, 2026
View reviewed changes
Copy link
Owner

@lstein lstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works as advertised

lstein
lstein requested changes Feb 23, 2026
View reviewed changes
Copy link
Owner

@lstein lstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot:
Could you add a test for this feature?

Copy link
Author

Copilot AI commented Feb 23, 2026

@copilot:
Could you add a test for this feature?

Added 23 tests in test_boards_multiuser.py (commit 245ed6b). The new tests cover:

  • Auth requirements: GET /{board_id}, PATCH /{board_id}, DELETE /{board_id}, and GET /{board_id}/image_names all return 401 when unauthenticated in multiuser mode
  • Cross-user 403: A non-owner gets 403 on get, update, delete, and list_image_names for another user's board
  • Admin bypass: Admin can get, update, delete, and list image names for any user's board
  • Board listing isolation: Regular users only see their own boards in list responses
  • none board auth: The special none (uncategorized) board still requires authentication but no ownership check

All 23 tests pass.

Copilot AI requested a review from lstein February 23, 2026 03:36
@lstein
fix: enforce board ownership checks in multiuser mode
1bff5a1 
- get_board: verify current user owns the board (or is admin), return 403 otherwise
- update_board: verify ownership before updating, 404 if not found, 403 if unauthorized
- delete_board: verify ownership before deleting, 404 if not found, 403 if unauthorized
- list_all_board_image_names: add CurrentUserOrDefault auth and ownership check for non-'none' board IDs

Co-authored-by: lstein <111189+lstein@users.noreply.github.com>

test: add ownership enforcement tests for board endpoints in multiuser mode

- Auth requirement tests for get, update, delete, and list_image_names
- Cross-user 403 forbidden tests (non-owner cannot access/modify/delete)
- Admin bypass tests (admin can access/update/delete any user's board)
- Board listing isolation test (users only see their own boards)
- Refactored fixtures to use monkeypatch (consistent with other test files)

Co-authored-by: lstein <111189+lstein@users.noreply.github.com>
@lstein lstein force-pushed the copilot/fix-image-board-endpoints-again branch from 245ed6b to 1bff5a1 Compare February 23, 2026 03:38
lstein
lstein approved these changes Feb 23, 2026
View reviewed changes
Copy link
Owner

@lstein lstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as advertised, including new tests.

@lstein lstein merged commit a36e110 into feature/multiuser Feb 23, 2026
13 checks passed
@lstein lstein deleted the copilot/fix-image-board-endpoints-again branch February 23, 2026 03:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lstein lstein lstein approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lstein lstein

Copilot code review Copilot

Labels

api python python-tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lstein