fix(multiuser): require admin auth on model install job endpoints

list_model_installs, get_model_install_job, pause, resume,
restart_failed, and restart_file were unauthenticated — any caller who
could reach the API could view sensitive install job fields (source,
local_path, error_traceback) and interfere with installation state.

All six endpoints now require AdminUserOrDefault, consistent with the
neighboring cancel and prune routes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lstein

invokeai/app/api/routers/model_manager.py

@@ -858,7 +858,7 @@ def generate_html(title: str, heading: str, repo_id: str, is_error: bool, messag
     "/install",
     operation_id="list_model_installs",
 )
-async def list_model_installs() -> List[ModelInstallJob]:
+async def list_model_installs(current_admin: AdminUserOrDefault) -> List[ModelInstallJob]:
     """Return the list of model install jobs.
 
     Install jobs have a numeric `id`, a `status`, and other fields that provide information on
@@ -890,7 +890,9 @@ async def list_model_installs() -> List[ModelInstallJob]:
         404: {"description": "No such job"},
     },
 )
-async def get_model_install_job(id: int = Path(description="Model install id")) -> ModelInstallJob:
+async def get_model_install_job(
+    current_admin: AdminUserOrDefault, id: int = Path(description="Model install id")
+) -> ModelInstallJob:
     """
     Return model install job corresponding to the given source. See the documentation for 'List Model Install Jobs'
     for information on the format of the return value.
@@ -933,7 +935,9 @@ async def cancel_model_install_job(
     },
     status_code=201,
 )
-async def pause_model_install_job(id: int = Path(description="Model install job ID")) -> ModelInstallJob:
+async def pause_model_install_job(
+    current_admin: AdminUserOrDefault, id: int = Path(description="Model install job ID")
+) -> ModelInstallJob:
     """Pause the model install job corresponding to the given job ID."""
     installer = ApiDependencies.invoker.services.model_manager.install
     try:
@@ -953,7 +957,9 @@ async def pause_model_install_job(id: int = Path(description="Model install job
     },
     status_code=201,
 )
-async def resume_model_install_job(id: int = Path(description="Model install job ID")) -> ModelInstallJob:
+async def resume_model_install_job(
+    current_admin: AdminUserOrDefault, id: int = Path(description="Model install job ID")
+) -> ModelInstallJob:
     """Resume a paused model install job corresponding to the given job ID."""
     installer = ApiDependencies.invoker.services.model_manager.install
     try:
@@ -973,7 +979,9 @@ async def resume_model_install_job(id: int = Path(description="Model install job
     },
     status_code=201,
 )
-async def restart_failed_model_install_job(id: int = Path(description="Model install job ID")) -> ModelInstallJob:
+async def restart_failed_model_install_job(
+    current_admin: AdminUserOrDefault, id: int = Path(description="Model install job ID")
+) -> ModelInstallJob:
     """Restart failed or non-resumable file downloads for the given job."""
     installer = ApiDependencies.invoker.services.model_manager.install
     try:
@@ -994,6 +1002,7 @@ async def restart_failed_model_install_job(id: int = Path(description="Model ins
     status_code=201,
 )
 async def restart_model_install_file(
+    current_admin: AdminUserOrDefault,
     id: int = Path(description="Model install job ID"),
     file_source: AnyHttpUrl = Body(description="File download URL to restart"),
 ) -> ModelInstallJob:

tests/app/routers/test_multiuser_authorization.py

@@ -176,6 +176,7 @@ def enable_multiuser(monkeypatch: Any, mock_invoker: Invoker):
     monkeypatch.setattr("invokeai.app.api.routers.workflows.ApiDependencies", mock_deps)
     monkeypatch.setattr("invokeai.app.api.routers.session_queue.ApiDependencies", mock_deps)
     monkeypatch.setattr("invokeai.app.api.routers.recall_parameters.ApiDependencies", mock_deps)
+    monkeypatch.setattr("invokeai.app.api.routers.model_manager.ApiDependencies", mock_deps)
     yield
 
 
@@ -1245,6 +1246,47 @@ def test_session_queue_status_no_user_fields(self):
         assert "user_in_progress" not in fields
 
 
+# ===========================================================================
+# 10b. Model install job authorization
+# ===========================================================================
+
+
+class TestModelInstallAuth:
+    """Tests that model install job endpoints require admin authentication."""
+
+    def test_list_model_installs_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.get("/api/v2/models/install")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_get_model_install_job_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.get("/api/v2/models/install/1")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_pause_model_install_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.post("/api/v2/models/install/1/pause")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_resume_model_install_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.post("/api/v2/models/install/1/resume")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_restart_failed_model_install_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.post("/api/v2/models/install/1/restart_failed")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_restart_model_install_file_requires_auth(self, enable_multiuser: Any, client: TestClient):
+        r = client.post("/api/v2/models/install/1/restart_file", json="https://example.com/model.safetensors")
+        assert r.status_code == status.HTTP_401_UNAUTHORIZED
+
+    def test_non_admin_cannot_list_model_installs(self, enable_multiuser: Any, client: TestClient, user1_token: str):
+        r = client.get("/api/v2/models/install", headers=_auth(user1_token))
+        assert r.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_non_admin_cannot_pause_model_install(self, enable_multiuser: Any, client: TestClient, user1_token: str):
+        r = client.post("/api/v2/models/install/1/pause", headers=_auth(user1_token))
+        assert r.status_code == status.HTTP_403_FORBIDDEN
+
+
 # ===========================================================================
 # 11. Bulk download access control
 # ===========================================================================