Skip to content

Fix board isolation in multiuser implementation #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Copilot wants to merge 6 commits into
base: lstein-master
Choose a base branch
from
Open

Fix board isolation in multiuser implementation #26

Copilot wants to merge 6 commits into from

Conversation

Copy link

Copilot AI commented Jan 13, 2026
edited by lstein
Loading

Summary

Fixes three board isolation issues in multiuser: admin users couldn't see all boards, uncategorized images were shared across users, and board state persisted when switching users.

Backend:

  • Added is_admin parameter to board queries - admins now see all boards, regular users see own + shared
  • Added user_id filtering to uncategorized image queries - filters by images.user_id when board_id == "none"
  • Added owner_username to BoardDTO for admin visibility
  • Required authentication on images API endpoint

Frontend:

  • Clear board state (selectedBoardId, autoAddBoardId, boardSearchText) on logout via extraReducers
  • Invalidate boards cache on login/logout to trigger refetch
  • Display owner username below board name for admin users

Tests:

  • Updated existing tests to include new is_admin parameter for board queries
  • Updated mock BoardRecord objects to include required user_id field

Example - Admin Board Query:

# Before: admins saw only their own boards
board_records = get_many(user_id, order_by, direction, offset, limit)

# After: admins bypass user_id filter
board_records = get_many(user_id, is_admin, order_by, direction, offset, limit)
# Query skips WHERE user_id = ? when is_admin=True

Related Issues / Discussions

See docs/multiuser/board_isolation_issue.md for detailed specification.

QA Instructions

  1. Test board isolation for regular users:

    • Create boards as User A, verify User B cannot see them
    • Share a board, verify User B can now see it

  2. Test admin board visibility:

    • Log in as admin
    • Verify all users' boards are visible with owner labels (e.g., "My Board ([email protected])")

  3. Test uncategorized board isolation:

    • Upload images without assigning to boards as User A
    • Log in as User B, verify uncategorized images are isolated

  4. Test state cleanup on user switch:

    • Log in as User A, select a board
    • Log out, log in as User B
    • Verify board list updates immediately without manual refresh
    • Verify User A's board selection doesn't persist

Merge Plan

N/A

Checklist

  • The PR has a short but descriptive title, suitable for a changelog
  • Tests added / updated (if applicable)
  • ❗Changes to a redux slice have a corresponding migration
  • Documentation added / updated (if applicable)
  • Updated What's New copy (if doing a release after this PR)
Original prompt

This section details on the original issue you should resolve

<issue_title>[enhancement]: Fix board isolation in multiuser implementation</issue_title>
<issue_description>### Is there an existing issue for this?

  • I have searched the existing issues

Contact Details

No response

What should this feature add?

  • Board list not updating when switching users (frontend state management)
  • "Uncategorized" board being shared instead of per-user (backend filtering)
  • Admin users unable to access all users' boards (admin role handling)

See docs/multiuser/board_isolation_issue.md for a full description of the issues and a specification for how to resolve them.

Alternatives

No response

Additional Content

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI changed the title [WIP] Fix board isolation in multiuser implementation Fix board isolation in multiuser implementation Jan 13, 2026
Copilot AI requested a review from lstein January 13, 2026 05:19
@lstein lstein marked this pull request as ready for review January 13, 2026 21:05
@lstein
Copy link
Owner

lstein commented Jan 13, 2026

@copilot The frontend checks check is failing with these errors:

Run pnpm lint:tsc

> @invoke-ai/[email protected] lint:tsc /home/runner/work/InvokeAI/InvokeAI/invokeai/frontend/web
> tsc --noEmit

Error: src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx(63,52): error TS2339: Property 'owner_username' does not exist on type '{ board_id: string; board_name: string; created_at: string; updated_at: string; deleted_at?: string | null | undefined; cover_image_name: string | null; archived: boolean; image_count: number; asset_count: number; }'.
Error: src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx(96,28): error TS2339: Property 'owner_username' does not exist on type '{ board_id: string; board_name: string; created_at: string; updated_at: string; deleted_at?: string | null | undefined; cover_image_name: string | null; archived: boolean; image_count: number; asset_count: number; }'.
 ELIFECYCLE  Command failed with exit code 2.
Error: Process completed with exit code 2.

Additionally python tests are failing with:

=========================== short test summary info ============================
FAILED tests/app/services/auth/test_data_isolation.py::TestBoardDataIsolation::test_user_can_only_see_own_boards - TypeError: BoardService.get_many() missing 1 required positional argument: 'is_admin'
FAILED tests/app/services/auth/test_data_isolation.py::TestDataIntegrity::test_concurrent_user_operations_maintain_isolation - TypeError: BoardService.get_many() missing 1 required positional argument: 'is_admin'
FAILED tests/app/services/bulk_download/test_bulk_download.py::test_generate_id_with_board_id - pydantic_core._pydantic_core.ValidationError: 1 validation error for BoardRecord
user_id
  Field required [type=missing, input_value={'board_id': '12345', 'bo...one', 'archived': False}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing
= 3 failed, 782 passed, 102 skipped, 4 deselected, 14 warnings in 206.72s (0:03:26) =
Error: Process completed with exit code 1.

Copy link
Author

Copilot AI commented Jan 13, 2026

@copilot The frontend checks check is failing with these errors:

Run pnpm lint:tsc

...

Fixed the Python test failures in commit 678d9c1:

Test fixes:

  • Added is_admin=False parameter to board_service.get_many() calls in test_data_isolation.py (2 tests)
  • Added required user_id field to BoardRecord mock objects in test_bulk_download.py (2 tests)

All Python tests should now pass.

For the TypeScript errors about owner_username, the OpenAPI schema needs to be regenerated from the updated Python backend. Since you've pushed a schema update, the TypeScript types should now include the owner_username field in BoardDTO and the frontend checks should pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lstein lstein Awaiting requested review from lstein lstein is a code owner

Assignees

@lstein lstein

Copilot code review Copilot

Labels

api frontend python python-tests services

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[enhancement]: Fix board isolation in multiuser implementation

2 participants

@lstein