Fix multiuser information leakage in Queue panel detail view

[Copilot]

Summary

In multiuser mode, non-admin users could view sensitive generation data (prompts, parameters, graph structure, workflow) from other users' queue items by clicking to expand the detail view. The "Batch Field Values" column correctly censored values, but the expanded detail view exposed the full session graph and workflow.

Backend: Enhanced sanitize_queue_item_for_user() to clear session.graph and workflow fields for non-admin users viewing other users' items. Creates a shallow copy to prevent mutation side effects.

Frontend: Added permission check to disable detail expansion for unauthorized users. Visual feedback includes disabled cursor, reduced opacity, and tooltip. Users can expand only their own items or system items; admins can expand all.

Constants: Extracted SYSTEM_USER_ID = "system" constant to both backend and frontend for maintainability.

Tests: Added comprehensive unit tests with proper fixture setup including all required timestamp fields (created_at, updated_at, started_at, completed_at) to ensure pydantic validation passes.

Related Issues / Discussions

N/A

QA Instructions

Testing requires multiuser mode setup with authentication enabled:

1. Create two non-admin users (userA, userB) and one admin user
2. As userA, enqueue a generation with custom prompts/parameters
3. As userB, navigate to Queue tab:
   • Verify "Batch Field Values" shows "Hidden for privacy" for userA's items
   • Attempt to click userA's queue item - verify cursor shows "not-allowed" and tooltip explains permission denied
   • Verify userB cannot expand userA's item details
4. As admin, verify you can expand all users' queue items and see full details
5. As userA, verify you can expand your own queue items

Merge Plan

N/A

Checklist

• The PR has a short but descriptive title, suitable for a changelog
• Tests added / updated (if applicable)
• ❗Changes to a redux slice have a corresponding migration
• Documentation added / updated (if applicable)
• Updated What's New copy (if doing a release after this PR)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[bug]: Multiuser information leakage in the Queue panel</issue_title>
<issue_description>### Is there an existing issue for this problem?

• I have searched the existing issues

Install method

Invoke's Launcher

Operating system

Linux

GPU vendor

Nvidia (CUDA)

GPU model

No response

GPU VRAM

No response

Version number

6.10.0

Browser

No response

System Information

No response

What happened

When operating in multiuser mode, the "Batch Field Values" of the Queue tab correctly censors the values when user B is observing a job started by user A. However, these values are still visible when user B clicks on the queue item to see its generation graph.

What you expected to happen

The ability to click a queue item to get the generation graph should be disabled when a user attempts to view the graph of another user. The exception is the Administrator, who should be able to see the graph for all users' generations.

How to reproduce the problem

No response

Additional context

No response

Discord username

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [bug]: Multiuser information leakage in the Queue panel #37

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[lstein]

Works as advertised.

[lstein]

@copilot I'm seeing pydantic validation errors in one of the regression tests:

tests/app/routers/test_session_queue_sanitization.py:36: ValidationError

    @pytest.fixture
    def sample_session_queue_item() -> SessionQueueItem:
        """Create a sample queue item with full data for testing."""
        graph = Graph()
        # Add a simple node to the graph
        graph.add_node(TestSanitizationInvocation(id="test_node", test_field="test value"))
    
        session = GraphExecutionState(id="test_session", graph=graph)
    
>       return SessionQueueItem(
            item_id=1,
            status="pending",
            batch_id="batch_123",
            session_id="session_123",
            queue_id="default",
            user_id="user_123",
            user_display_name="Test User",
            user_email="test@example.com",
            field_values=[
                NodeFieldValue(node_path="test_node", field_name="test_field", value="sensitive prompt data"),
            ],
            session=session,
            workflow=None,
        )
E       pydantic_core._pydantic_core.ValidationError: 4 validation errors for SessionQueueItem
E       created_at
E         Field required [type=missing, input_value={'item_id': 1, 'status': ...e={}), 'workflow': None}, input_type=dict]
E           For further information visit https://errors.pydantic.dev/2.12/v/missing
E       updated_at
E         Field required [type=missing, input_value={'item_id': 1, 'status': ...e={}), 'workflow': None}, input_type=dict]
E           For further information visit https://errors.pydantic.dev/2.12/v/missing
E       started_at
E         Field required [type=missing, input_value={'item_id': 1, 'status': ...e={}), 'workflow': None}, input_type=dict]
E           For further information visit https://errors.pydantic.dev/2.12/v/missing
E       completed_at
E         Field required [type=missing, input_value={'item_id': 1, 'status': ...e={}), 'workflow': None}, input_type=dict]
E           For further information visit https://errors.pydantic.dev/2.12/v/missing

[Copilot]

@copilot I'm seeing pydantic validation errors in one of the regression tests:

tests/app/routers/test_session_queue_sanitization.py:36: ValidationError

...

Fixed in commit 10a1530. Added the required timestamp fields (created_at, updated_at, started_at, completed_at) to the SessionQueueItem fixture in the test.