Restrict podcast task status/result access to task owner by AJaySi · Pull Request #453 · AJaySi/ALwrity

AJaySi · 2026-03-30T02:35:46Z

Prevent leaking task existence to unauthorized users by enforcing owner-based access when reading task status or results.
Persist task ownership at creation time so status/result endpoints can reliably verify requester identity.
Make task-manager lookups owner-aware and ensure endpoints return 404 on mismatch to avoid revealing whether a task exists.

Added metadata support to TaskManager.create_task(...) and stored metadata on each task under the metadata key in task_storage.
Extended TaskManager.get_task_status(task_id, requester_user_id=...) to check stored owner_user_id and return None when the requester does not match the owner.
Updated podcast handlers to pass metadata={"owner_user_id": user_id} when creating tasks for audio dubbing, voice cloning, podcast video generation, and combine-videos, and to call get_task_status(..., requester_user_id=user_id) when returning results.
Changed /api/podcast/task/{task_id}/status, /api/podcast/dub/{task_id}/result, and /api/podcast/dub/voices/{task_id}/result to supply the authenticated user ID to task lookups and to raise 404 when a task is missing or ownership does not match.

Compiled the modified modules with python -m py_compile backend/api/story_writer/task_manager.py backend/api/podcast/router.py backend/api/podcast/handlers/dubbing.py backend/api/podcast/handlers/video.py which completed successfully.

Restrict podcast task status access by owner

b54c297

AJaySi added the codex label Mar 30, 2026 — with ChatGPT Codex Connector

AJaySi merged commit e3ba789 into main Apr 3, 2026
1 check passed

Provide feedback