ulysses/routes
Shaw db10c8d95b
Sessions: allow deleting memory-only ghost sessions
A session that exists only in the in-memory SessionManager — never persisted,
or whose DB row was removed out-of-band — was listed by GET /api/sessions (the
list is built from the in-memory manager) but 404'd on every per-session
operation, so it could never be deleted.

Two causes, both fixed:

1. _verify_session_owner() only consulted the DB and raised 404 when no row
   existed. It now falls back to the in-memory session's owner when (and only
   when) a session_manager is supplied and the caller actually owns the ghost.
   The DB row stays authoritative when present, and a ghost owned by another
   user still 404s, so the ownership/security model is unchanged. The new
   parameter defaults to None, preserving behavior for all other callers.

2. SessionManager.delete_session() only removed the in-memory entry when a DB
   row was found, so memory-only ghosts survived. It now drops the in-memory
   copy regardless and reports success when either the DB row or the in-memory
   entry was removed.

Added tests/test_session_ghost_delete.py covering both layers, including the
cross-owner 404, the unauthenticated 403, DB-row-wins precedence, and backward
compatibility when no manager is passed.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 20:51:26 +09:00
..
__init__.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
admin_wipe_routes.py Admin: wipe gallery albums with images 2026-06-02 20:35:57 +09:00
api_token_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
assistant_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
auth_routes.py Add explicit open-signup state endpoint 2026-06-02 12:35:54 +09:00
backup_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
calendar_routes.py Fix YEARLY recurring CalDAV events only showing on DTSTART year (#179) 2026-06-01 13:42:44 +09:00
chat_helpers.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
chat_routes.py Models: avoid hidden models in default fallback 2026-06-02 20:37:14 +09:00
cleanup_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
compare_routes.py feat(ai): add OpenRouter and Ollama Cloud providers (#231) 2026-06-01 14:26:10 +09:00
contacts_routes.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
cookbook_helpers.py Cookbook: surface pip install failures in logs 2026-06-02 20:34:52 +09:00
cookbook_routes.py Fix Cookbook dependency install completion state 2026-06-02 12:59:29 +09:00
diagnostics_routes.py Fix email-thread HTML injection, attachment path traversal, and missing authz (#475) 2026-06-01 22:20:17 +09:00
document_helpers.py Harden PDF document markers against cross-owner upload access (#445) 2026-06-01 22:38:14 +09:00
document_routes.py Documents: strip PDF marker without corrupting text 2026-06-02 20:35:27 +09:00
editor_draft_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
email_helpers.py Email: add explicit SMTP security mode 2026-06-02 13:15:06 +09:00
email_pollers.py Scope email calendar extraction to account owner 2026-06-01 23:12:32 +09:00
email_routes.py Email: add explicit SMTP security mode 2026-06-02 13:15:06 +09:00
embedding_routes.py chore: use running event loop in async helpers (#821) 2026-06-02 12:28:05 +09:00
emoji_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
font_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
gallery_helpers.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
gallery_routes.py Gallery: match image endpoint URLs with exact v1 suffix 2026-06-02 20:34:05 +09:00
history_routes.py fix(history): scope topic analysis to authenticated owner only (#744) 2026-06-02 11:36:01 +09:00
hwfit_routes.py Cookbook serve profiles and engine filter 2026-06-02 12:34:42 +09:00
mcp_routes.py Fix email-thread HTML injection, attachment path traversal, and missing authz (#475) 2026-06-01 22:20:17 +09:00
memory_routes.py feat: allow memory import without session (#493) 2026-06-01 22:32:17 +09:00
model_routes.py Models: avoid hidden models in default fallback 2026-06-02 20:37:14 +09:00
note_routes.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
personal_routes.py Scope personal RAG uploads by owner (#446) 2026-06-01 22:36:53 +09:00
prefs_routes.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
preset_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
research_routes.py fix(auth): honor AUTH_ENABLED=false on owner-scoped endpoints (no /login loop) (#880) 2026-06-02 12:26:26 +09:00
search_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
session_routes.py Sessions: allow deleting memory-only ghost sessions 2026-06-02 20:51:26 +09:00
shell_routes.py Fix Cookbook dependency install completion state 2026-06-02 12:59:29 +09:00
signature_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
skills_routes.py Skills: delete owner-scoped skills with owner 2026-06-02 20:28:36 +09:00
stt_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
task_routes.py Polish email tasks and window controls 2026-06-01 20:56:46 +09:00
tts_routes.py Odysseus v1.0 2026-05-31 23:58:26 +09:00
upload_routes.py Add native Windows compatibility layer 2026-06-01 15:09:47 +09:00
vault_routes.py fix(security): stop leaking the vault master password via process argv (#879) 2026-06-02 12:25:43 +09:00
webhook_routes.py Security: owner-scope v1 chat endpoint fallback 2026-06-02 20:31:35 +09:00