fix(multiuser): make preexisting workflows visible after migration

PR #9018 assigned preexisting workflows user_id='system' with
is_public=FALSE, causing them to disappear from all users' libraries.

- Add migration 30: sets is_public=TRUE for all system-owned workflows
  so they appear under "Shared Workflows"
- Skip user_id filtering for admins in workflow listing endpoints so
  they can see and manage all workflows including system-owned ones
- Show the Shared toggle to admins on system-owned workflows in the
  workflow list UI
- Update multiuser user guide to document private/shared workflows,
  private/shared/public image boards, and warn about preexisting
  workflows appearing in shared section
- Add regression tests for system workflow visibility, admin CRUD
  access, and regular user access denial

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: lstein

docs/multiuser/user_guide.md

@@ -140,13 +140,13 @@ As a regular user, you can:
 - ✅ View your own generation queue
 - ✅ Customize your UI preferences (theme, hotkeys, etc.)
 - ✅ View available models (read-only access to Model Manager)
-- ✅ Access shared boards (based on permissions granted to you) (FUTURE FEATURE)
-- ✅ Access workflows marked as public (FUTURE FEATURE)
+- ✅ View shared and public boards created by other users
+- ✅ View and use workflows marked as shared by other users
 
 You cannot:
 
 - ❌ Add, delete, or modify models
-- ❌ View or modify other users' boards, images, or workflows
+- ❌ View or modify other users' private boards, images, or workflows
 - ❌ Manage user accounts
 - ❌ Access system configuration
 - ❌ View or cancel other users' generation tasks
@@ -173,7 +173,7 @@ Administrators have all regular user capabilities, plus:
 - ✅ Full model management (add, delete, configure models)
 - ✅ Create and manage user accounts
 - ✅ View and manage all users' generation queues
-- ✅ Create and manage shared boards (FUTURE FEATURE)
+- ✅ View and manage all users' boards, images, and workflows (including system-owned legacy content)
 - ✅ Access system configuration
 - ✅ Grant or revoke admin privileges
 
@@ -183,23 +183,30 @@ Administrators have all regular user capabilities, plus:
 
 ### Image Boards
 
-In multi-user model, Image Boards work as before. Each user can create an unlimited number of boards and organize their images and assets as they see fit. Boards are private: you cannot see a board owned by a different user.
+In multi-user mode, each user can create an unlimited number of boards and organize their images and assets as they see fit. Boards have three visibility levels:
 
-!!! tip "Shared Boards"
-    InvokeAI 6.13 will add support for creating public boards that are accessible to all users.
+- **Private** (default): Only you (and administrators) can see and modify the board.
+- **Shared**: All users can view the board and its contents, but only you (and administrators) can modify it (rename, archive, delete, or add/remove images).
+- **Public**: All users can view the board. Only you (and administrators) can modify the board's structure (rename, archive, delete).
 
-The Administrator can see all users Image Boards and their contents.
+To change a board's visibility, right-click on the board and select the desired visibility option.
 
-### Going From Multi-User to Single-User mode
+Administrators can see and manage all users' image boards and their contents regardless of visibility settings.
+
+### Going From Multi-User to Single-User Mode
 
 If an InvokeAI instance was in multiuser mode and then restarted in single user mode (by setting `multiuser: false` in the configuration file), all users' boards will be consolidated in one place. Any images that were in  "Uncategorized" will be merged together into a single Uncategorized board. If, at a later date, the server is restarted in multi-user mode, the boards and images will be separated and restored to their owners.
 
 ### Workflows
 
-In the current released version (6.12) workflows are always shared among users. Any workflow that you create will be visible to other users and vice-versa, and there is no protection against one user modifying another user's workflow.
+Each user has their own private workflow library. Workflows you create are visible only to you by default.
+
+You can share a workflow with other users by marking it as **shared** (public). Shared workflows appear in all users' workflow libraries and can be opened by anyone, but only the owner (or an administrator) can modify or delete them.
+
+To share a workflow, open it and use the sharing controls to toggle its public/shared status.
 
-!!! tip "Private and Shared Workflows"
-    InvokeAI 6.13 will provide the ability to create private and shared workflows. A private workflow can only be viewed by the user who created it. At any time, however, the user can designate the workflow *shared*, in which case it can be opened on a read-only basis by all logged-in users.
+!!! warning "Preexisting workflows after enabling multi-user mode"
+    When you enable multi-user mode for the first time on an existing InvokeAI installation, all workflows that were created before multi-user mode was activated will appear in the **shared workflows** section. These preexisting workflows are owned by the internal "system" account and are visible to all users. Administrators can edit or delete these shared legacy workflows. Regular users can view and use them but cannot modify them.
 
 
 ### The Generation Queue
@@ -330,11 +337,11 @@ These settings are stored per-user and won't affect other users.
 
 ### Can other users see my images?
 
-No, unless you add them to a shared board (FUTURE FEATURE). All your personal boards and images are private.
+Not unless you change your board's visibility to "shared" or "public". All personal boards and images are private by default.
 
 ### Can I share my workflows with others?
 
-Not directly. Ask your administrator to mark workflows as public if you want to share them.
+Yes. You can mark any workflow as shared (public), which makes it visible to all users. Other users can view and use shared workflows, but only you or an administrator can modify or delete them.
 
 ### How long do sessions last?
 

invokeai/app/api/routers/workflows.py

@@ -144,10 +144,10 @@ async def list_workflows(
     """Gets a page of workflows"""
     config = ApiDependencies.invoker.services.configuration
 
-    # In multiuser mode, scope user-category workflows to the current user unless fetching shared workflows
+    # In multiuser mode, scope user-category workflows to the current user unless fetching shared workflows.
+    # Admins skip the user_id filter so they can see and manage all workflows including system-owned ones.
     user_id_filter: Optional[str] = None
-    if config.multiuser:
-        # Only filter 'user' category results by user_id when not explicitly listing public workflows
+    if config.multiuser and not current_user.is_admin:
         has_user_category = not categories or WorkflowCategory.User in categories
         if has_user_category and is_public is not True:
             user_id_filter = current_user.user_id
@@ -320,7 +320,7 @@ async def get_all_tags(
     """Gets all unique tags from workflows"""
     config = ApiDependencies.invoker.services.configuration
     user_id_filter: Optional[str] = None
-    if config.multiuser:
+    if config.multiuser and not current_user.is_admin:
         has_user_category = not categories or WorkflowCategory.User in categories
         if has_user_category and is_public is not True:
             user_id_filter = current_user.user_id
@@ -341,7 +341,7 @@ async def get_counts_by_tag(
     """Counts workflows by tag"""
     config = ApiDependencies.invoker.services.configuration
     user_id_filter: Optional[str] = None
-    if config.multiuser:
+    if config.multiuser and not current_user.is_admin:
         has_user_category = not categories or WorkflowCategory.User in categories
         if has_user_category and is_public is not True:
             user_id_filter = current_user.user_id
@@ -361,7 +361,7 @@ async def counts_by_category(
     """Counts workflows by category"""
     config = ApiDependencies.invoker.services.configuration
     user_id_filter: Optional[str] = None
-    if config.multiuser:
+    if config.multiuser and not current_user.is_admin:
         has_user_category = WorkflowCategory.User in categories
         if has_user_category and is_public is not True:
             user_id_filter = current_user.user_id

invokeai/app/services/shared/sqlite/sqlite_util.py

@@ -32,6 +32,7 @@
 from invokeai.app.services.shared.sqlite_migrator.migrations.migration_27 import build_migration_27
 from invokeai.app.services.shared.sqlite_migrator.migrations.migration_28 import build_migration_28
 from invokeai.app.services.shared.sqlite_migrator.migrations.migration_29 import build_migration_29
+from invokeai.app.services.shared.sqlite_migrator.migrations.migration_30 import build_migration_30
 from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_impl import SqliteMigrator
 
 
@@ -81,6 +82,7 @@ def init_db(config: InvokeAIAppConfig, logger: Logger, image_files: ImageFileSto
     migrator.register_migration(build_migration_27())
     migrator.register_migration(build_migration_28())
     migrator.register_migration(build_migration_29())
+    migrator.register_migration(build_migration_30())
     migrator.run_migrations()
 
     return db

invokeai/app/services/shared/sqlite_migrator/migrations/migration_30.py

@@ -0,0 +1,37 @@
+"""Migration 30: Make preexisting system-owned workflows public.
+
+Migration 28 added user_id and is_public columns to workflow_library, but
+assigned preexisting workflows user_id='system' with is_public=FALSE. This
+caused those workflows to disappear from users' libraries because the query
+filter scopes by user_id and excludes non-public workflows owned by other
+users. This migration fixes the issue by marking all system-owned workflows
+as public so they are visible to all users.
+"""
+
+import sqlite3
+
+from invokeai.app.services.shared.sqlite_migrator.sqlite_migrator_common import Migration
+
+
+class Migration30Callback:
+    """Migration to make system-owned workflows publicly visible."""
+
+    def __call__(self, cursor: sqlite3.Cursor) -> None:
+        self._make_system_workflows_public(cursor)
+
+    def _make_system_workflows_public(self, cursor: sqlite3.Cursor) -> None:
+        """Set is_public=TRUE for all workflows owned by the 'system' user."""
+        cursor.execute("UPDATE workflow_library SET is_public = TRUE WHERE user_id = 'system';")
+
+
+def build_migration_30() -> Migration:
+    """Builds the migration object for migrating from version 29 to version 30.
+
+    This migration marks all preexisting system-owned workflows as public
+    so they remain visible to all users after the multiuser migration.
+    """
+    return Migration(
+        from_version=29,
+        to_version=30,
+        callback=Migration30Callback(),
+    )

invokeai/frontend/web/src/features/nodes/components/sidePanel/workflow/WorkflowLibrary/WorkflowListItem.tsx

@@ -160,7 +160,7 @@ export const WorkflowListItem = memo(({ workflow }: { workflow: WorkflowRecordLi
             </Text>
           )}
           <Spacer />
-          {isOwner && <ShareWorkflowToggle workflow={workflow} />}
+          {canEditOrDelete && <ShareWorkflowToggle workflow={workflow} />}
           {workflow.category === 'default' && <ViewWorkflow workflowId={workflow.workflow_id} />}
           {workflow.category !== 'default' && (
             <>

tests/app/routers/test_workflows_multiuser.py

@@ -332,3 +332,147 @@ def test_workflow_has_user_id_and_is_public_fields(client: TestClient, user1_tok
     assert "user_id" in data
     assert "is_public" in data
     assert data["is_public"] is False
+
+
+# ---------------------------------------------------------------------------
+# System-owned workflow visibility (regression tests for migration 30 fix)
+# ---------------------------------------------------------------------------
+
+
+def _insert_system_workflow(mock_invoker: Invoker, name: str = "Legacy Workflow", is_public: bool = True) -> str:
+    """Insert a workflow owned by 'system' directly via the service layer, then set is_public."""
+    from invokeai.app.services.workflow_records.workflow_records_common import WorkflowWithoutID
+
+    wf = WorkflowWithoutID(**{**WORKFLOW_BODY, "name": name})
+    record = mock_invoker.services.workflow_records.create(workflow=wf, user_id="system")
+    if is_public:
+        mock_invoker.services.workflow_records.update_is_public(workflow_id=record.workflow_id, is_public=True)
+    return record.workflow_id
+
+
+def test_system_public_workflow_visible_in_shared_listing(client: TestClient, user1_token: str, mock_invoker: Invoker):
+    """After migration 30, system-owned public workflows should appear in the shared workflows listing."""
+    wf_id = _insert_system_workflow(mock_invoker, "Legacy Workflow")
+
+    response = client.get(
+        "/api/v1/workflows/?categories=user&is_public=true",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert response.status_code == 200
+    ids = [w["workflow_id"] for w in response.json()["items"]]
+    assert wf_id in ids
+
+
+def test_system_public_workflow_not_in_your_workflows(client: TestClient, user1_token: str, mock_invoker: Invoker):
+    """System-owned public workflows should NOT appear in 'Your Workflows' listing."""
+    wf_id = _insert_system_workflow(mock_invoker, "Legacy Workflow")
+
+    response = client.get(
+        "/api/v1/workflows/?categories=user",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert response.status_code == 200
+    ids = [w["workflow_id"] for w in response.json()["items"]]
+    assert wf_id not in ids
+
+
+def test_system_private_workflow_not_visible_to_regular_user(
+    client: TestClient, user1_token: str, mock_invoker: Invoker
+):
+    """A system-owned workflow that is still private should NOT appear for regular users in any listing."""
+    wf_id = _insert_system_workflow(mock_invoker, "Private Legacy", is_public=False)
+
+    # Not in "Your Workflows"
+    response = client.get(
+        "/api/v1/workflows/?categories=user",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert response.status_code == 200
+    ids = [w["workflow_id"] for w in response.json()["items"]]
+    assert wf_id not in ids
+
+    # Not in "Shared Workflows" either
+    response = client.get(
+        "/api/v1/workflows/?categories=user&is_public=true",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert response.status_code == 200
+    ids = [w["workflow_id"] for w in response.json()["items"]]
+    assert wf_id not in ids
+
+
+def test_admin_can_list_system_workflows(client: TestClient, admin_token: str, mock_invoker: Invoker):
+    """Admins should see system-owned workflows in their listing."""
+    wf_id = _insert_system_workflow(mock_invoker, "Admin Visible Workflow")
+
+    response = client.get(
+        "/api/v1/workflows/?categories=user",
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 200
+    ids = [w["workflow_id"] for w in response.json()["items"]]
+    assert wf_id in ids
+
+
+def test_admin_can_update_system_workflow(client: TestClient, admin_token: str, mock_invoker: Invoker):
+    """Admins should be able to update a system-owned workflow."""
+    wf_id = _insert_system_workflow(mock_invoker, "Editable Legacy")
+
+    # Get the full workflow to update it
+    get_resp = client.get(
+        f"/api/v1/workflows/i/{wf_id}",
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert get_resp.status_code == 200
+    workflow_data = get_resp.json()["workflow"]
+    workflow_data["name"] = "Updated by Admin"
+
+    update_resp = client.patch(
+        f"/api/v1/workflows/i/{wf_id}",
+        json={"workflow": workflow_data},
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert update_resp.status_code == 200
+    assert update_resp.json()["workflow"]["name"] == "Updated by Admin"
+
+
+def test_admin_can_delete_system_workflow(client: TestClient, admin_token: str, mock_invoker: Invoker):
+    """Admins should be able to delete a system-owned workflow."""
+    wf_id = _insert_system_workflow(mock_invoker, "Deletable Legacy")
+
+    response = client.delete(
+        f"/api/v1/workflows/i/{wf_id}",
+        headers={"Authorization": f"Bearer {admin_token}"},
+    )
+    assert response.status_code == 200
+
+
+def test_regular_user_cannot_update_system_workflow(client: TestClient, user1_token: str, mock_invoker: Invoker):
+    """Regular users should NOT be able to update a system-owned workflow."""
+    wf_id = _insert_system_workflow(mock_invoker, "Protected Legacy")
+
+    get_resp = client.get(
+        f"/api/v1/workflows/i/{wf_id}",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert get_resp.status_code == 200
+    workflow_data = get_resp.json()["workflow"]
+    workflow_data["name"] = "Hijacked"
+
+    update_resp = client.patch(
+        f"/api/v1/workflows/i/{wf_id}",
+        json={"workflow": workflow_data},
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert update_resp.status_code == status.HTTP_403_FORBIDDEN
+
+
+def test_regular_user_cannot_delete_system_workflow(client: TestClient, user1_token: str, mock_invoker: Invoker):
+    """Regular users should NOT be able to delete a system-owned workflow."""
+    wf_id = _insert_system_workflow(mock_invoker, "Undeletable Legacy")
+
+    response = client.delete(
+        f"/api/v1/workflows/i/{wf_id}",
+        headers={"Authorization": f"Bearer {user1_token}"},
+    )
+    assert response.status_code == status.HTTP_403_FORBIDDEN

tests/test_sqlite_migrator.py

@@ -468,3 +468,64 @@ def test_migration_27_without_client_state_data_column(logger: Logger) -> None:
     assert cursor.fetchone()[0] == 0
 
     db._conn.close()
+
+
+def test_migration_30_makes_system_workflows_public(logger: Logger) -> None:
+    """Test that migration 30 sets is_public=TRUE for all system-owned workflows."""
+    from invokeai.app.services.shared.sqlite_migrator.migrations.migration_28 import Migration28Callback
+    from invokeai.app.services.shared.sqlite_migrator.migrations.migration_30 import Migration30Callback
+
+    db = SqliteDatabase(db_path=None, logger=logger, verbose=False)
+    cursor = db._conn.cursor()
+
+    # Create workflow_library table as it would exist before migration 28
+    cursor.execute("""
+        CREATE TABLE workflow_library (
+            workflow_id TEXT PRIMARY KEY,
+            workflow TEXT NOT NULL DEFAULT '',
+            name TEXT NOT NULL DEFAULT '',
+            created_at DATETIME NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+            updated_at DATETIME NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+            opened_at DATETIME,
+            category TEXT NOT NULL DEFAULT 'user',
+            tags TEXT NOT NULL DEFAULT ''
+        );
+    """)
+
+    # Insert preexisting workflows (simulating data from before multiuser)
+    cursor.execute("INSERT INTO workflow_library (workflow_id, name) VALUES ('wf-1', 'Old Workflow 1');")
+    cursor.execute("INSERT INTO workflow_library (workflow_id, name) VALUES ('wf-2', 'Old Workflow 2');")
+    db._conn.commit()
+
+    # Run migration 28 — adds user_id='system' and is_public=FALSE
+    Migration28Callback()(cursor)
+    db._conn.commit()
+
+    # Verify migration 28 state: system-owned and private
+    cursor.execute("SELECT user_id, is_public FROM workflow_library WHERE workflow_id = 'wf-1';")
+    row = cursor.fetchone()
+    assert row[0] == "system"
+    assert row[1] == 0  # FALSE
+
+    # Insert a non-system workflow (created after migration 28)
+    cursor.execute(
+        "INSERT INTO workflow_library (workflow_id, name, user_id, is_public) VALUES ('wf-3', 'New Workflow', 'user-123', 0);"
+    )
+    db._conn.commit()
+
+    # Run migration 30
+    Migration30Callback()(cursor)
+    db._conn.commit()
+
+    # System-owned workflows should now be public
+    cursor.execute("SELECT is_public FROM workflow_library WHERE workflow_id = 'wf-1';")
+    assert cursor.fetchone()[0] == 1  # TRUE
+
+    cursor.execute("SELECT is_public FROM workflow_library WHERE workflow_id = 'wf-2';")
+    assert cursor.fetchone()[0] == 1  # TRUE
+
+    # Non-system workflow should remain private
+    cursor.execute("SELECT is_public FROM workflow_library WHERE workflow_id = 'wf-3';")
+    assert cursor.fetchone()[0] == 0  # FALSE
+
+    db._conn.close()