Fix board isolation in multiuser implementation

[Copilot]

Summary

Fixes three board isolation issues in multiuser: admin users couldn't see all boards, uncategorized images were shared across users, and board state persisted when switching users.

Backend:

• Added is_admin parameter to board queries - admins now see all boards, regular users see own + shared
• Added user_id filtering to uncategorized image queries - filters by images.user_id when board_id == "none" in both list_image_dtos and get_image_names endpoints
• Added owner_username to BoardDTO for admin visibility
• Required authentication on all image query endpoints (list_image_dtos and get_image_names)
• Added user_id to image creation pipeline - images now properly assigned to users when created via uploads or invocations
• Fixed get_image_names endpoint - added authentication and user_id filtering to close the uncategorized board isolation gap
• Admin uncategorized board access - added is_admin parameter to image queries allowing admins to see all uncategorized images from all users while regular users see only their own

Frontend:

• Clear board state (selectedBoardId, autoAddBoardId, boardSearchText) on logout via extraReducers
• Invalidate boards and images cache on login/logout to prevent data leakage between user sessions
• Display owner username below board name for admin users
• Clear image cache on user switch - invalidate all image-related cache tags (Image, ImageList, ImageNameList, ImageCollection, ImageMetadata) to prevent cached images from previous user appearing

Tests:

• Updated existing tests to include new is_admin parameter for board queries
• Updated mock BoardRecord objects to include required user_id field

Complete Uncategorized Board Isolation:
Three complementary changes were required for complete isolation:

1. Image Creation - Assign user_id when images are created (via API uploads or invocations)
2. Image Queries - Filter by user_id when querying uncategorized images in both endpoints:
   • list_image_dtos - returns full image DTOs with metadata
   • get_image_names - returns image name list for gallery display (was missing authentication and filtering)
3. Admin Access - Admin users can see all uncategorized images from all users via is_admin parameter that bypasses user_id filtering

The get_image_names endpoint was the missing piece - it lacked both authentication and user_id filtering, allowing all users to see each other's uncategorized images. Both endpoints now properly enforce user isolation for regular users while allowing admins full visibility.

Example - Admin Board Query:

# Before: admins saw only their own boards
board_records = get_many(user_id, order_by, direction, offset, limit)

# After: admins bypass user_id filter
board_records = get_many(user_id, is_admin, order_by, direction, offset, limit)
# Query skips WHERE user_id = ? when is_admin=True

Example - Admin Uncategorized Image Access:

# Regular user: sees only their own uncategorized images
if user_id is not None and not is_admin:
    query_conditions += "AND images.user_id = ?"
    
# Admin user: sees all uncategorized images (no filter applied)

Note: Additional multiuser isolation issues related to real-time events, generation previews, and job queue filtering are outside the scope of this PR and will be addressed separately.

Related Issues / Discussions

See docs/multiuser/board_isolation_issue.md for detailed specification.

QA Instructions

1. Test board isolation for regular users:

   • Create boards as User A, verify User B cannot see them
   • Share a board, verify User B can now see it

2. Test admin board visibility:

   • Log in as admin
   • Verify all users' boards are visible with owner labels (e.g., "My Board (user@example.com)")

3. Test uncategorized board isolation for regular users:

   • Upload images without assigning to boards as User A
   • Log in as User B, verify User B cannot see User A's uncategorized images in the gallery
   • Generate images as User A, verify they appear only in User A's uncategorized board
   • Verify User B's uncategorized board shows only User B's images
   • Test both the main gallery view and image list to ensure both endpoints filter correctly

4. Test admin uncategorized board access:

   • Upload/generate uncategorized images as User A
   • Upload/generate uncategorized images as User B
   • Log in as admin
   • Verify admin can see all uncategorized images from both User A and User B in their uncategorized board

5. Test state cleanup and cache clearing on user switch:

   • Log in as User A, select a board, view some images
   • Log out, log in as User B
   • Verify board list updates immediately without manual refresh
   • Verify User A's board selection doesn't persist
   • Verify User A's cached images do not appear in User B's session

Merge Plan

N/A

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[enhancement]: Fix board isolation in multiuser implementation</issue_title>
<issue_description>### Is there an existing issue for this?

• I have searched the existing issues

Contact Details

No response

What should this feature add?

• Board list not updating when switching users (frontend state management)
• "Uncategorized" board being shared instead of per-user (backend filtering)
• Admin users unable to access all users' boards (admin role handling)

See docs/multiuser/board_isolation_issue.md for a full description of the issues and a specification for how to resolve them.

Alternatives

No response

Additional Content

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [enhancement]: Fix board isolation in multiuser implementation #24

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

@copilot The frontend checks check is failing with these errors:

Run pnpm lint:tsc

> @invoke-ai/invoke-ai-ui@0.0.1 lint:tsc /home/runner/work/InvokeAI/InvokeAI/invokeai/frontend/web
> tsc --noEmit

Error: src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx(63,52): error TS2339: Property 'owner_username' does not exist on type '{ board_id: string; board_name: string; created_at: string; updated_at: string; deleted_at?: string | null | undefined; cover_image_name: string | null; archived: boolean; image_count: number; asset_count: number; }'.
Error: src/features/gallery/components/Boards/BoardsList/GalleryBoard.tsx(96,28): error TS2339: Property 'owner_username' does not exist on type '{ board_id: string; board_name: string; created_at: string; updated_at: string; deleted_at?: string | null | undefined; cover_image_name: string | null; archived: boolean; image_count: number; asset_count: number; }'.
 ELIFECYCLE  Command failed with exit code 2.
Error: Process completed with exit code 2.

Additionally python tests are failing with:

=========================== short test summary info ============================
FAILED tests/app/services/auth/test_data_isolation.py::TestBoardDataIsolation::test_user_can_only_see_own_boards - TypeError: BoardService.get_many() missing 1 required positional argument: 'is_admin'
FAILED tests/app/services/auth/test_data_isolation.py::TestDataIntegrity::test_concurrent_user_operations_maintain_isolation - TypeError: BoardService.get_many() missing 1 required positional argument: 'is_admin'
FAILED tests/app/services/bulk_download/test_bulk_download.py::test_generate_id_with_board_id - pydantic_core._pydantic_core.ValidationError: 1 validation error for BoardRecord
user_id
  Field required [type=missing, input_value={'board_id': '12345', 'bo...one', 'archived': False}, input_type=dict]
    For further information visit https://errors.pydantic.dev/2.12/v/missing
= 3 failed, 782 passed, 102 skipped, 4 deselected, 14 warnings in 206.72s (0:03:26) =
Error: Process completed with exit code 1.

[Copilot]

@copilot The frontend checks check is failing with these errors:

Run pnpm lint:tsc

...

Fixed the Python test failures in commit 678d9c1:

Test fixes:

• Added is_admin=False parameter to board_service.get_many() calls in test_data_isolation.py (2 tests)
• Added required user_id field to BoardRecord mock objects in test_bulk_download.py (2 tests)

All Python tests should now pass.

For the TypeScript errors about owner_username, the OpenAPI schema needs to be regenerated from the updated Python backend. Since you've pushed a schema update, the TypeScript types should now include the owner_username field in BoardDTO and the frontend checks should pass.

[lstein]

@copilot

Several issues are identified during testing:

1. When two users, A and B, are logged in simultaneously and A initiates a generation, the generation preview shows up in both A and B's browsers and the generated image gets saved to both A and B's image boards. Non-administrative users should never see the images being generated by another user.
2. The Uncategorized board appears to be shared across all users. At this time, each user should see his own Uncategorized board and should not see images in other users' Uncategorized board.
3. When displaying the job queue, users should not be able to see Batch Field Values from generation processes launched by other users. The values should be blurred out if possible. Only the Administrator should be able to see values from generations launched by other users.
4. When the job queue tab is open in multiple browsers and a generation is begun in one browser window, the queue does not update in the other window.
5. New columns should be added to the job queue table showing the account name of the user who launched the job. If the account name is not set, then show the login name.

[Copilot]

@copilot

Several issues are identified during testing:...

I've analyzed these issues. Several are outside the scope of this PR (board isolation), but I can identify the root causes:

Issues #1, #3, #4, #5 (Job Queue & Real-time Events): These require changes to the session queue service and event broadcasting system - separate from board isolation. They need:

• User filtering in session queue queries
• Event broadcasting filtered by user_id
• Frontend queue UI updates to show user info
• Socket.IO room-based event delivery per user

Issue #2 (Uncategorized Board Sharing): This is within scope but there's a critical bug - images aren't being assigned user_id when created. The image_records_sqlite.py save() method doesn't include user_id in the INSERT statement, so all images default to 'system'.

Should I:

1. Fix issue Add comprehensive multi-user support specification and implementation plan #2 only (add user_id to image creation) as it's within this PR's scope?
2. Or expand scope to address all 5 issues (queue isolation + events)?

The queue/event issues require broader changes across session queue, event services, and frontend queue components.

[lstein]

@copilot Fix issue #2 in this PR and I'll create an issue for the other items.

[Copilot]

@copilot Fix issue #2 in this PR and I'll create an issue for the other items.

Fixed issue #2 in commit 1916cbd. Changes made:

Image Creation Now Assigns user_id:

• Added user_id parameter throughout the image creation pipeline
• Images from API uploads: use current_user.user_id
• Images from invocations/generations: use queue_item.user_id
• Database defaults to 'system' if user_id not provided (backward compatibility)

Modified Files:

• image_records_base.py & image_records_sqlite.py - Save user_id to database
• images_base.py & images_default.py - Pass user_id through service layer
• invocation_context.py - Pass queue_item.user_id when images are generated
• images.py (API router) - Pass current_user.user_id when images are uploaded

Now each user's uncategorized images will be properly isolated since they have the correct user_id assigned.

[lstein]

@copilot This does not seem to have worked. When I am logged in as user B I continue to see user A's images in the Uncategorized board.

[Copilot]

@copilot This does not seem to have worked. When I am logged in as user B I continue to see user A's images in the Uncategorized board.

Found and fixed the issue in commit 57bb723. The problem was that the get_image_names API endpoint (used by the frontend to list images) was missing:

1. Authentication requirement - no CurrentUser parameter
2. User_id filtering - didn't pass user_id through the call chain

While the previous commit added user_id to image creation and list_image_dtos, the get_image_names endpoint was querying all uncategorized images without filtering by user.

Fixed:

• Added authentication to get_image_names endpoint
• Added user_id parameter through entire call chain (API → images service → image_records)
• Filter by images.user_id when board_id == "none" in the database query

Now user B will only see their own uncategorized images, not user A's.

[lstein]

@copilot Much improved. Two refinements requested:

1. When the user logs out and logs in with the same browser under a different user name, the front end cached board images should be cleared so that there is no leakage of board images from the previous user to the current user.
2. Is it possible to make it so that the Administrator sees all the Uncategorized images from all users? Currently the Administrator has his own private Uncategorized image board.

[Copilot]

@copilot Much improved. Two refinements requested:

1. When the user logs out and logs in with the same browser under a different user name, the front end cached board images should be cleared so that...

Both refinements implemented in commit 6f8ff79:

1. Clear cached board images on logout/login:

• Added invalidation of image-related cache tags (Image, ImageList, ImageNameList, ImageCollection, ImageMetadata) in auth API
• Prevents data leakage when switching users in the same browser
• Frontend cache is now completely cleared on both login and logout

2. Admin sees all uncategorized images:

• Added is_admin parameter throughout image query call chain
• Modified filtering logic: regular users see only their own uncategorized images, admin users see all uncategorized images from all users
• Admin now has a unified view of all uncategorized content while maintaining per-user isolation for regular users

[lstein]

Tested and works as advertised.