Fix queue clear() endpoint to respect user ownership in multi-user deployments

[Copilot]

Summary

The clear() endpoint unconditionally deleted all queue items for a given queue_id regardless of who called it, allowing any non-admin user to wipe other users' pending jobs. This is inconsistent with prune(), which already supports a user_id filter for multi-tenancy.

Changes:

• session_queue_base.py: Add user_id: Optional[str] = None to clear() signature — when provided, only items owned by that user are cleared
• session_queue_sqlite.py: Add conditional AND user_id = ? to the SQL WHERE clause in clear(), matching the existing pattern in prune()
• session_queue.py (router): Scope the clear operation by user — admins pass user_id=None (clears all), non-admins pass their own user_id (clears only their items)
• tests/app/services/session_queue/test_session_queue_clear.py: New tests verifying the user-scoped clear behaviour

# Before
clear_result = session_queue.clear(queue_id)  # deletes everything

# After
user_id = None if current_user.is_admin else current_user.user_id
clear_result = session_queue.clear(queue_id, user_id=user_id)  # scoped by user

Related Issues / Discussions

QA Instructions

In a multi-user setup (feature/multiuser branch):

1. Enqueue items as two different non-admin users
2. As user A, call PUT /v1/queue/{queue_id}/clear — only user A's items should be deleted; user B's items should remain
3. As an admin, call the same endpoint — all items should be cleared

Merge Plan

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Queue clear() endpoint doesn’t respect user id</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

feature/multiuser branch

Browser

No response

System Information

No response

What happened

The clear endpoint in session_queue.py calls session_queue.clear(queue_id) which deletes ALL queue items for ALL users. The endpoint only checks ownership of the currently-executing item, but then unconditionally wipes the entire queue. A non-admin user can clear every other user's pending jobs. The underlying SqliteSessionQueue.clear() method has no user_id parameter, unlike prune and other similar methods that were updated for multi-tenancy.

What you expected to happen

I expect that the clear endpoint only clears queue items for the currently logged-in user, like the prune endpoint. The Administrator can clear all items.

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Queue clear() endpoint doesn’t respect user id #74

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[lstein]

Could you add a test for this?

[Copilot]

Could you add a test for this?

Added tests in commit b0841a3 at tests/app/services/session_queue/test_session_queue_clear.py. The tests cover:

• Non-admin clear (with user_id) only deletes that user's items, leaving other users' items intact
• Admin clear (no user_id) deletes all items in the queue
• Clear only affects the target queue, not other queues
• Clear returns 0 when no items match the given user

[lstein]

Tested endpoints directly and works as advertised.