[bug]: Queue clear() endpoint doesn’t respect user id #74
Description
Is there an existing issue for this problem?
- I have searched the existing issues
Install method
Invoke's Launcher
Operating system
Linux
GPU vendor
Nvidia (CUDA)
GPU model
No response
GPU VRAM
No response
Version number
feature/multiuser branch
Browser
No response
System Information
No response
What happened
The clear endpoint in session_queue.py calls session_queue.clear(queue_id) which deletes ALL queue items for ALL users. The endpoint only checks ownership of the currently-executing item, but then unconditionally wipes the entire queue. A non-admin user can clear every other user's pending jobs. The underlying SqliteSessionQueue.clear() method has no user_id parameter, unlike prune and other similar methods that were updated for multi-tenancy.
What you expected to happen
I expect that the clear endpoint only clears queue items for the currently logged-in user, like the prune endpoint. The Administrator can clear all items.
How to reproduce the problem
No response
Additional context
No response
Discord username
No response