Skip to content

fix(queue): System user queue items show blank instead of <hidden> for non-admin users #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lstein merged 4 commits into from
Feb 20, 2026
+34 −2
Merged

fix(queue): System user queue items show blank instead of <hidden> for non-admin users #63

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a77e4af
Initial plan
Copilot Feb 20, 2026
ba8408a
fix(queue): System user queue items show blank instead of `<hidden>` …
Copilot Feb 20, 2026
735c392
chore(backend): ruff
lstein Feb 20, 2026
db463e8
Merge branch 'feature/multiuser' into copilot/fix-queue-items-visibility
lstein Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion invokeai/app/services/shared/sqlite_migrator/migrations/migration_27.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,6 @@ def _update_client_state_table(self, cursor: sqlite3.Cursor) -> None:
)

# Migrate existing data to 'system' user
# The 'system' user is created by migration 25, so it's guaranteed to exist at this point
for key, value in existing_data.items():
cursor.execute(
"""
Expand Down
2 changes: 1 addition & 1 deletion invokeai/frontend/web/src/features/queue/components/QueueList/QueueItemComponent.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ const QueueItemComponent = ({ index, item }: InnerItemProps) => {
))}
</Flex>
)}
{!item.field_values && item.user_id !== SYSTEM_USER_ID && (
{!item.field_values && !currentUser?.is_admin && item.user_id !== currentUser?.user_id && (
<Text as="span" color="base.500" fontStyle="italic">
{t('queue.fieldValuesHidden')}
</Text>
Expand Down
33 changes: 33 additions & 0 deletions tests/app/routers/test_session_queue_sanitization.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,3 +124,36 @@ def test_sanitize_preserves_non_sensitive_fields(sample_session_queue_item):
assert result.user_id == "user_123"
assert result.user_display_name == "Test User"
assert result.user_email == "test@example.com"


def test_sanitize_system_user_item_for_non_admin(sample_session_queue_item):
"""Test that non-admin users cannot see sensitive data from System user's queue items."""
# Simulate a legacy System user queue item
system_item = sample_session_queue_item.model_copy(update={"user_id": "system"})

result = sanitize_queue_item_for_user(
queue_item=system_item,
current_user_id="non_admin_user",
is_admin=False,
)

# System user's sensitive fields should be sanitized for non-admin users
assert result.field_values is None
assert result.workflow is None
assert len(result.session.graph.nodes) == 0


def test_sanitize_system_user_item_for_admin(sample_session_queue_item):
"""Test that admin users can see full data from System user's queue items."""
system_item = sample_session_queue_item.model_copy(update={"user_id": "system"})

result = sanitize_queue_item_for_user(
queue_item=system_item,
current_user_id="admin_user",
is_admin=True,
)

# Admin should see everything including System user's data
assert result.field_values is not None
assert len(result.field_values) == 1
assert len(result.session.graph.nodes) == 1
Loading