Skip to content

Comments

Fix: Admin users can see image previews from other users' generations#61

Merged
lstein merged 5 commits intofeature/multiuserfrom
copilot/fix-admin-image-preview-issue
Feb 20, 2026
Merged

Fix: Admin users can see image previews from other users' generations#61
lstein merged 5 commits intofeature/multiuserfrom
copilot/fix-admin-image-preview-issue

Conversation

Copy link

Copilot AI commented Feb 20, 2026
edited
Loading

Summary

In multiuser mode, admin users were receiving the full InvocationProgressEvent — including the base64 JPEG image preview — for generations started by other users, because the admin socket room received an unfiltered copy of every invocation event.

Fix: When emitting InvocationProgressEvent to the admin room, strip the image field before serialization using Pydantic's model_copy:

# Owner gets the full event (unchanged)
await self._sio.emit(event=event_name, data=event_data.model_dump(mode="json"), room=user_room)

# Admin gets progress metadata (message, percentage) but no image content
if isinstance(event_data, InvocationProgressEvent):
    admin_event_data = event_data.model_copy(update={"image": None})
    await self._sio.emit(event=event_name, data=admin_event_data.model_dump(mode="json"), room="admin")
else:
    await self._sio.emit(event=event_name, data=event_data.model_dump(mode="json"), room="admin")
  • Owners still receive the full progress event with image preview in their user:{user_id} room.
  • Admins receive InvocationProgressEvent with image: null — progress status (message, percentage) is preserved for monitoring, but image content is not exposed.
  • All other invocation events (InvocationStartedEvent, InvocationCompleteEvent, InvocationErrorEvent) forwarded to admin room are unaffected.

Related Issues / Discussions

QA Instructions

  1. Run InvokeAI in multiuser mode.
  2. Log in as a non-admin user in one browser and start a generation.
  3. Log in as an admin in another browser and observe the socket events — progress events should arrive with image: null while message and percentage remain populated.

Merge Plan

Checklist

  • The PR has a short but descriptive title, suitable for a changelog
  • Tests added / updated (if applicable)
  • ❗Changes to a redux slice have a corresponding migration
  • Documentation added / updated (if applicable)
  • Updated What's New copy (if doing a release after this PR)
Original prompt

This section details on the original issue you should resolve

<issue_title>[bug]: Admin can see image previews</issue_title>
<issue_description>### Is there an existing issue for this problem?

  • I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

feature/multiuser branch

Browser

No response

System Information

No response

What happened

When I was logged in as the Administrator user in one browser, and simultaneously logged in as an unprivileged user in another browser, the Administrator user could see the preview of generations started by the unprivileged user.

What you expected to happen

I expect that generations started by unprivileged users should not be visible by the Administrator.

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@lstein
Fix: strip image preview from InvocationProgressEvent sent to admin room
32c568d 
Co-authored-by: lstein <111189+lstein@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix admin access to unprivileged user image previews Fix: Admin users can see image previews from other users' generations Feb 20, 2026
Copilot AI requested a review from lstein February 20, 2026 03:43
lstein
lstein approved these changes Feb 20, 2026
View reviewed changes
Copy link
Owner

@lstein lstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works as advertised.

@lstein lstein marked this pull request as ready for review February 20, 2026 03:48
@lstein lstein merged commit 9e11528 into feature/multiuser Feb 20, 2026
13 checks passed
@lstein lstein deleted the copilot/fix-admin-image-preview-issue branch February 20, 2026 04:18
@lstein lstein mentioned this pull request Feb 20, 2026
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@lstein lstein lstein approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@lstein lstein

Copilot code review Copilot

Labels

api python python-tests services

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lstein