fix: enforce data isolation in server mode

In server mode, multiple users share one pgAdmin instance. Several
code paths loaded objects belonging to all users without filtering,
allowing cross-user information disclosure.

Changes:

- Add centralized get_accessible_server() and related helpers in
  utils/server_access.py. Single-query check: owned OR shared OR
  admin. Desktop mode bypasses (single user).

- Replace ~30 unscoped Server.query.filter_by(id=sid) callsites
  across servers, sqleditor, schema_diff, erd, psql, import_export,
  views, workspaces with get_accessible_server(sid) + None checks.

- Add access check in connection_manager() — the real security
  boundary for ~50+ check_precondition-decorated endpoints.

- Scope ServerGroup.query.all() to current user + shared groups.
  Add user check to ServerGroup.properties() and nodes(gid).

- Replace Server.shared listing patterns with get_user_server_query()
  using proper shared server semantics.

- Add user_id to DebuggerFunctionArguments model + composite PK.
  Alembic migration handles SQLite (recreate) and PostgreSQL
  (add column, backfill from server owner, recreate PK).
  SCHEMA_VERSION bumped to 50.

- Scope disconnect_from_all_servers(), delete_adhoc_servers(),
  get_servers_with_saved_passwords() to current user. Guard
  delete_adhoc_servers with has_request_context() for app startup.

- Add indexes: server(user_id), server(servergroup_id),
  sharedserver(user_id), sharedserver(osid), servergroup(user_id).

- Fix old migration ca00ec32581b to use raw SQL instead of model
  import (prevents breakage when model shape changes).

Author: asheshv

web/migrations/versions/add_user_id_to_debugger_func_args_.py

@@ -0,0 +1,123 @@
+##########################################################################
+#
+# pgAdmin 4 - PostgreSQL Tools
+#
+# Copyright (C) 2013 - 2026, The pgAdmin Development Team
+# This software is released under the PostgreSQL Licence
+#
+##########################################################################
+
+"""Add user_id to debugger_function_arguments and indexes for data isolation
+
+Revision ID: add_user_id_dbg_args
+Revises: add_tools_ai_perm
+Create Date: 2026-04-08
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = 'add_user_id_dbg_args'
+down_revision = 'add_tools_ai_perm'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    conn = op.get_bind()
+    dialect = conn.dialect.name
+
+    # --- DebuggerFunctionArguments: add user_id to composite PK ---
+    if dialect == 'sqlite':
+        # SQLite cannot ALTER composite PKs. Recreate the table.
+        # Existing debugger argument data is ephemeral (cached function
+        # args) so dropping is acceptable.
+        op.execute(
+            'DROP TABLE IF EXISTS debugger_function_arguments'
+        )
+        op.create_table(
+            'debugger_function_arguments',
+            sa.Column('user_id', sa.Integer(),
+                      sa.ForeignKey('user.id'), nullable=False),
+            sa.Column('server_id', sa.Integer(), nullable=False),
+            sa.Column('database_id', sa.Integer(), nullable=False),
+            sa.Column('schema_id', sa.Integer(), nullable=False),
+            sa.Column('function_id', sa.Integer(), nullable=False),
+            sa.Column('arg_id', sa.Integer(), nullable=False),
+            sa.Column('is_null', sa.Integer(), nullable=False),
+            sa.Column('is_expression', sa.Integer(), nullable=False),
+            sa.Column('use_default', sa.Integer(), nullable=False),
+            sa.Column('value', sa.String(), nullable=True),
+            sa.PrimaryKeyConstraint(
+                'user_id', 'server_id', 'database_id',
+                'schema_id', 'function_id', 'arg_id'
+            ),
+            sa.CheckConstraint('is_null >= 0 AND is_null <= 1'),
+            sa.CheckConstraint(
+                'is_expression >= 0 AND is_expression <= 1'),
+            sa.CheckConstraint(
+                'use_default >= 0 AND use_default <= 1'),
+        )
+    else:
+        # PostgreSQL: add column, backfill from server owner, recreate
+        # PK using batch_alter_table for portability.
+        op.add_column(
+            'debugger_function_arguments',
+            sa.Column('user_id', sa.Integer(),
+                      sa.ForeignKey('user.id'), nullable=True)
+        )
+        # Backfill: assign user_id from the server's owner
+        op.execute(
+            'UPDATE debugger_function_arguments '
+            'SET user_id = s.user_id '
+            'FROM server s '
+            'WHERE debugger_function_arguments.server_id = s.id'
+        )
+        # Delete orphans (rows with no matching server)
+        op.execute(
+            'DELETE FROM debugger_function_arguments '
+            'WHERE user_id IS NULL'
+        )
+        op.alter_column(
+            'debugger_function_arguments', 'user_id', nullable=False
+        )
+        # Recreate PK with user_id using batch_alter_table
+        with op.batch_alter_table(
+            'debugger_function_arguments'
+        ) as batch:
+            batch.drop_constraint(
+                'debugger_function_arguments_pkey', type_='primary'
+            )
+            batch.create_primary_key(
+                'debugger_function_arguments_pkey',
+                ['user_id', 'server_id', 'database_id',
+                 'schema_id', 'function_id', 'arg_id']
+            )
+
+    # --- Indexes for data isolation query performance ---
+    # CREATE INDEX IF NOT EXISTS is supported by both SQLite and PostgreSQL.
+    # Some tables (e.g. sharedserver) may not exist in older schemas that
+    # haven't run all prior migrations, so wrap each in try/except.
+    index_stmts = [
+        'CREATE INDEX IF NOT EXISTS ix_server_user_id '
+        'ON server (user_id)',
+        'CREATE INDEX IF NOT EXISTS ix_server_servergroup_id '
+        'ON server (servergroup_id)',
+        'CREATE INDEX IF NOT EXISTS ix_sharedserver_user_id '
+        'ON sharedserver (user_id)',
+        'CREATE INDEX IF NOT EXISTS ix_sharedserver_osid '
+        'ON sharedserver (osid)',
+        'CREATE INDEX IF NOT EXISTS ix_servergroup_user_id '
+        'ON servergroup (user_id)',
+    ]
+    for stmt in index_stmts:
+        try:
+            op.execute(stmt)
+        except Exception:
+            pass
+
+
+def downgrade():
+    # pgAdmin only upgrades, downgrade not implemented.
+    pass

web/migrations/versions/ca00ec32581b_.py

@@ -15,8 +15,6 @@
 
 """
 from alembic import op
-from sqlalchemy.orm.session import Session
-from pgadmin.model import DebuggerFunctionArguments
 
 # revision identifiers, used by Alembic.
 revision = 'ca00ec32581b'
@@ -26,11 +24,10 @@
 
 
 def upgrade():
-    session = Session(bind=op.get_bind())
-
-    debugger_records = session.query(DebuggerFunctionArguments).all()
-    if debugger_records:
-        session.delete(debugger_records)
+    # Use raw SQL instead of importing the model class, because
+    # model changes in later migrations (e.g. adding user_id) would
+    # cause this migration to fail on fresh databases.
+    op.execute('DELETE FROM debugger_function_arguments')
 
 
 def downgrade():

web/pgadmin/browser/server_groups/__init__.py

@@ -25,6 +25,8 @@
 from pgadmin.model import db, ServerGroup, Server
 import config
 from pgadmin.utils.preferences import Preferences
+from pgadmin.utils.server_access import get_accessible_server_group, \
+    get_server_groups_for_user
 
 
 def get_icon_css_class(group_id, group_user_id,
@@ -286,7 +288,7 @@ def update(self, gid):
     def properties(self, gid):
         """Update the server-group properties"""
 
-        sg = ServerGroup.query.filter(ServerGroup.id == gid).first()
+        sg = get_accessible_server_group(gid)
 
         if sg is None:
             return make_json_response(
@@ -296,7 +298,8 @@ def properties(self, gid):
             )
         else:
             return ajax_response(
-                response={'id': sg.id, 'name': sg.name, 'user_id': sg.user_id},
+                response={'id': sg.id, 'name': sg.name,
+                          'user_id': sg.user_id},
                 status=200
             )
 
@@ -373,8 +376,9 @@ def dependents(self, gid):
     @staticmethod
     def get_all_server_groups():
         """
-        Returns the list of server groups to show in server mode and
-        if there is any shared server in the group.
+        Returns the list of server groups to show in server mode.
+        Includes groups owned by the user and groups containing
+        shared servers accessible to this user.
         :return: server groups
         """
 
@@ -383,17 +387,18 @@ def get_all_server_groups():
         pref = Preferences.module('browser')
         hide_shared_server = pref.preference('hide_shared_server').get()
 
-        server_groups = ServerGroup.query.all()
-        groups = []
-        for group in server_groups:
-            if hide_shared_server and \
-                ServerGroupModule.has_shared_server(group.id) and \
-                    group.user_id != current_user.id:
-                continue
-            if group.user_id == current_user.id or \
-                    ServerGroupModule.has_shared_server(group.id):
+        server_groups = get_server_groups_for_user()
+
+        if hide_shared_server:
+            groups = []
+            for group in server_groups:
+                if group.user_id != current_user.id and \
+                        ServerGroupModule.has_shared_server(group.id):
+                    continue
                 groups.append(group)
-        return groups
+            return groups
+
+        return server_groups
 
     @pga_login_required
     def nodes(self, gid=None):
@@ -421,7 +426,7 @@ def nodes(self, gid=None):
                     )
                 )
         else:
-            group = ServerGroup.query.filter(ServerGroup.id == gid).first()
+            group = get_accessible_server_group(gid)
 
             if not group:
                 return gone(

web/pgadmin/browser/server_groups/servers/__init__.py

@@ -45,6 +45,8 @@
 from .... import socketio as sio
 from pgadmin.utils import get_complete_file_path
 from pgadmin.settings.utils import with_object_filters
+from pgadmin.utils.server_access import get_accessible_server, \
+    get_user_server_query, get_accessible_server_group
 
 
 def has_any(data, keys):
@@ -245,8 +247,7 @@ def get_nodes(self, gid, object_filters):
         """Return a JSON document listing the server groups for the user"""
 
         hide_shared_server = get_preferences()
-        servers = Server.query.filter(
-            or_(Server.user_id == current_user.id, Server.shared),
+        servers = get_user_server_query().filter(
             Server.servergroup_id == gid, Server.is_adhoc == 0)
 
         driver = get_driver(PG_DEFAULT_DRIVER)
@@ -560,9 +561,7 @@ def nodes(self, gid):
         Return a JSON document listing the servers under this server group
         for the user.
         """
-        servers = Server.query.filter(
-            or_(Server.user_id == current_user.id,
-                Server.shared),
+        servers = get_user_server_query().filter(
             Server.servergroup_id == gid, Server.is_adhoc == 0)
 
         driver = get_driver(PG_DEFAULT_DRIVER)
@@ -627,24 +626,22 @@ def nodes(self, gid):
     @pga_login_required
     def node(self, gid, sid):
         """Return a JSON document listing the server groups for the user"""
-        server = Server.query.filter_by(id=sid).first()
-
-        if server.shared and server.user_id != current_user.id:
-            shared_server = ServerModule.get_shared_server(server, gid)
-            server = ServerModule.get_shared_server_properties(server,
-                                                               shared_server)
+        server = get_accessible_server(sid)
 
         if server is None:
             return make_json_response(
                 status=410,
                 success=0,
                 errormsg=gettext(
-                    gettext(
-                        "Could not find the server with id# {0}."
-                    ).format(sid)
-                )
+                    "Could not find the server with id# {0}."
+                ).format(sid)
             )
 
+        if server.shared and server.user_id != current_user.id:
+            shared_server = ServerModule.get_shared_server(server, gid)
+            server = ServerModule.get_shared_server_properties(server,
+                                                               shared_server)
+
         manager = get_driver(PG_DEFAULT_DRIVER).connection_manager(server.id)
         conn = manager.connection()
         connected = conn.connected()
@@ -754,7 +751,7 @@ def delete(self, gid, sid):
     @pga_login_required
     def update(self, gid, sid):
         """Update the server settings"""
-        server = Server.query.filter_by(id=sid).first()
+        server = get_accessible_server(sid)
         sharedserver = None
 
         if server is None:
@@ -956,13 +953,10 @@ def list(self, gid, object_filters):
         """
         Return list of attributes of all servers.
         """
-        servers = Server.query.filter(
-            or_(Server.user_id == current_user.id, Server.shared),
+        servers = get_user_server_query().filter(
             Server.servergroup_id == gid,
             Server.is_adhoc == 0).order_by(Server.name)
-        sg = ServerGroup.query.filter_by(
-            id=gid
-        ).first()
+        sg = get_accessible_server_group(gid)
         res = []
 
         driver = get_driver(PG_DEFAULT_DRIVER)
@@ -1002,8 +996,7 @@ def list(self, gid, object_filters):
     def properties(self, gid, sid):
         """Return list of attributes of a server"""
 
-        server = Server.query.filter_by(
-            id=sid).first()
+        server = get_accessible_server(sid)
 
         if server is None:
             return make_json_response(
@@ -1395,7 +1388,12 @@ def supported_servers(self, **kwargs):
 
     def connect_status(self, gid, sid):
         """Check and return the connection status."""
-        server = Server.query.filter_by(id=sid).first()
+        server = get_accessible_server(sid)
+        if server is None:
+            return make_json_response(
+                status=410, success=0,
+                errormsg=self.not_found_error_msg()
+            )
         manager = get_driver(PG_DEFAULT_DRIVER).connection_manager(sid)
         conn = manager.connection()
         connected = conn.connected()
@@ -1464,7 +1462,10 @@ def connect(self, gid, sid, is_qt=False, server=None):
         # function in that case no need to fetch the server detail based on
         # sid.
         if server is None:
-            server = Server.query.filter_by(id=sid).first()
+            server = get_accessible_server(sid)
+
+        if server is None:
+            return bad_request(self.not_found_error_msg())
 
         shared_server = None
         if server.shared and server.user_id != current_user.id:
@@ -1474,8 +1475,6 @@ def connect(self, gid, sid, is_qt=False, server=None):
                 sess.expunge(server)
             server = ServerModule.get_shared_server_properties(server,
                                                                shared_server)
-        if server is None:
-            return bad_request(self.not_found_error_msg())
 
         # Return if username is blank and the server is shared
         if server.username is None and not server.service and \
@@ -1693,7 +1692,7 @@ def connect(self, gid, sid, is_qt=False, server=None):
     def disconnect(self, gid, sid):
         """Disconnect the Server."""
 
-        server = Server.query.filter_by(id=sid).first()
+        server = get_accessible_server(sid)
         if server is None:
             return bad_request(self.not_found_error_msg())
 
@@ -1818,7 +1817,7 @@ def change_password(self, gid, sid):
                 raise CryptKeyMissing
 
             # Fetch Server Details
-            server = Server.query.filter_by(id=sid).first()
+            server = get_accessible_server(sid)
             if server is None:
                 return bad_request(self.not_found_error_msg())
 
@@ -2108,7 +2107,7 @@ def clear_saved_password(self, gid, sid):
         :return:
         """
         try:
-            server = Server.query.filter_by(id=sid).first()
+            server = get_accessible_server(sid)
             shared_server = None
             if server is None:
                 return make_json_response(
@@ -2165,7 +2164,7 @@ def clear_sshtunnel_password(self, gid, sid):
         :return:
         """
         try:
-            server = Server.query.filter_by(id=sid).first()
+            server = get_accessible_server(sid)
             if server is None:
                 return make_json_response(
                     success=0,