fix(boards): enforce ownership on update/delete endpoints in multiuser mode

[Copilot]

Summary

update_board and delete_board in boards.py accepted the CurrentUserOrDefault dependency but never used it — any authenticated user could modify or delete any board regardless of ownership.

Fix:

• Both endpoints now fetch the board first (404 if missing), then reject with 403 if the caller is neither the board owner nor an admin:

if not current_user.is_admin and board.user_id != current_user.user_id:
    raise HTTPException(status_code=403, detail="Not authorized to update this board")

Tests (test_boards_multiuser.py):

• Added regular_user1_token / regular_user2_token fixtures (real non-admin users, separate from the existing admin fixture)
• 6 new ownership tests: non-owner blocked (update/delete), owner allowed (update/delete), admin bypasses check (update/delete)

Test infrastructure (conftest.py):

• Replaced board_images=None with board_images=BoardImagesService() — the delete endpoint calls board_images.get_all_board_image_names_for_board, which was previously unavailable in the test mock

Related Issues / Discussions

QA Instructions

Run with multiuser mode enabled. Create a board as user A, then authenticate as user B and attempt PATCH /v1/boards/{id} and DELETE /v1/boards/{id} — both should return 403. The same requests as user A or as an admin should succeed.

Merge Plan

This PR is based on feature/multiuser and should be merged into that branch, not main.

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Image board endpoints do not respect current user in multiuser mode</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

feature/multiuser

Browser

No response

System Information

No response

What happened

In multiuser mode, several of the endpoints in invokeai/app/routers/boards.py fail to check that the current user has privileges to modify or delete the image board in question. These endpoints should use CurrentUserOrDefault and their underlying routines should ensure that the board is owned by the user (or that the request is being generated by the authenticated admin user).

What you expected to happen

These endpoints should respect the ownership of the boards when running in multiuser mode.

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Image board endpoints do not respect current user in multiuser mode #78

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[lstein]

copilot royally screwed this one up.