From 0443cb450a21463203050358f4ab87754bb2720d Mon Sep 17 00:00:00 2001 From: Vadym Samoilenko Date: Fri, 13 Mar 2026 15:10:15 +0000 Subject: [PATCH] history: show legacy jobs (no user_id) to authenticated users Jobs created before user isolation was added have null user_id. Previously they were hidden from authenticated users. Now authenticated users see their own jobs + all legacy jobs (no user_id). Jobs belonging to a different authenticated user are still excluded. Co-Authored-By: Claude Sonnet 4.6 --- api.php | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/api.php b/api.php index 465b150..c94271e 100644 --- a/api.php +++ b/api.php @@ -698,14 +698,16 @@ function handleList() { foreach ($files as $file) { $job_data = json_decode(file_get_contents($file), true); - // User isolation: only return jobs belonging to the authenticated user. - // Jobs without a user_id (created before this feature) are excluded when - // a user is authenticated to prevent cross-user data leakage. + // User isolation: + // - Authenticated user: show their own jobs + legacy jobs (no user_id) + // - Unauthenticated (dev mode): show only legacy jobs (no user_id) + $job_user_id = $job_data['user_id'] ?? null; if ($current_user_id !== null) { - if (($job_data['user_id'] ?? null) !== $current_user_id) continue; - } elseif (($job_data['user_id'] ?? null) !== null) { - // Unauthenticated caller (dev mode) — skip user-owned jobs - continue; + // Skip jobs that belong to a DIFFERENT authenticated user + if ($job_user_id !== null && $job_user_id !== $current_user_id) continue; + } else { + // Unauthenticated — skip user-owned jobs + if ($job_user_id !== null) continue; } // Enrich with result summary if available