fix: scope gate to owners and extend to SessionNodes table

Author: yomybaby

.claude/scheduled_tasks.lock

@@ -0,0 +1 @@
+{"sessionId":"1b461965-840b-4e9c-933e-9870d26ecc24","pid":1743283,"procStart":"458332728","acquiredAt":1778812398765}

react/src/components/ComputeSessionNodeItems/SessionActionButtons.tsx

@@ -126,19 +126,21 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
   // The session row's access_key is set when the session was created.
   // If the current keypair is different, manager APIs return 403
   // ("Only admins can perform operations on behalf of other users.")
-  // for any per-session action — disable the buttons upfront instead.
+  // — but only for the session's owner. Admins viewing another user's
+  // session (rendered here from SessionDetailContent) are allowed to act
+  // on behalf of that user, so the gate is owner-only.
   const isAccessKeyMismatch =
     !!session?.access_key &&
     !!baiClient._config.accessKey &&
     session.access_key !== baiClient._config.accessKey;
+  const shouldDisableForMismatch = isOwner && isAccessKeyMismatch;
 
   // Only swap to the mismatch tooltip when switching access keys would
-  // actually unblock the user — i.e. they own the session. For non-owners
-  // the button is already disabled for a different reason and the mismatch
-  // copy ("Switch to that access key to manage this session") would be
-  // misleading.
+  // actually unblock the user. The button is also disabled when the
+  // session is inactive — in that case the "switch access key" advice
+  // is misleading, so fall back to the default tooltip.
   const resolveTooltip = (defaultTitle: string) =>
-    isAccessKeyMismatch && isOwner
+    shouldDisableForMismatch && isActive(session)
       ? t('session.AccessKeyMismatchTooltip')
       : defaultTitle;
 
@@ -213,7 +215,7 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
                     !isAppSupported(session) ||
                     !isActive(session) ||
                     !isOwner ||
-                    isAccessKeyMismatch
+                    shouldDisableForMismatch
                   }
                   icon={<BAIJupyterIcon />}
                   onClick={() => {
@@ -250,7 +252,7 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
                     !isAppSupported(session) ||
                     !isActive(session) ||
                     !isOwner ||
-                    isAccessKeyMismatch
+                    shouldDisableForMismatch
                   }
                   icon={<BAIFileBrowserIcon />}
                   onClick={() => {
@@ -286,7 +288,7 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
                   !isAppSupported(session) ||
                   !isActive(session) ||
                   !isOwner ||
-                  isAccessKeyMismatch
+                  shouldDisableForMismatch
                 }
                 icon={<BAIAppIcon />}
                 onClick={() => {
@@ -306,7 +308,9 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
           <Tooltip title={resolveTooltip(t('data.explorer.RunSSH/SFTPserver'))}>
             <Button
               type="primary"
-              disabled={!isActive(session) || !isOwner || isAccessKeyMismatch}
+              disabled={
+                !isActive(session) || !isOwner || shouldDisableForMismatch
+              }
               size={size}
               icon={<BAISftpIcon />}
               onClick={() => {
@@ -330,7 +334,7 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
                   !isAppSupported(session) ||
                   !isActive(session) ||
                   !isOwner ||
-                  isAccessKeyMismatch
+                  shouldDisableForMismatch
                 }
                 icon={<BAITerminalAppIcon />}
                 onClick={() => {
@@ -356,7 +360,7 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
           >
             <Button
               size={size}
-              disabled={isAccessKeyMismatch}
+              disabled={shouldDisableForMismatch}
               icon={<BAISessionLogIcon />}
               onClick={() => {
                 onAction?.('logs');
@@ -381,7 +385,9 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
             <Button
               size={size}
               disabled={
-                session?.status !== 'RUNNING' || !isOwner || isAccessKeyMismatch
+                session?.status !== 'RUNNING' ||
+                !isOwner ||
+                shouldDisableForMismatch
               }
               icon={<BAIContainerCommitIcon />}
               onClick={() => {
@@ -406,12 +412,12 @@ const SessionActionButtons: React.FC<SessionActionButtonsProps> = ({
           >
             <Button
               size={size}
-              disabled={!isActive(session) || isAccessKeyMismatch}
+              disabled={!isActive(session) || shouldDisableForMismatch}
               icon={
                 <BAITerminateIcon
                   style={{
                     color:
-                      isActive(session) && !isAccessKeyMismatch
+                      isActive(session) && !shouldDisableForMismatch
                         ? token.colorError
                         : undefined,
                   }}

react/src/components/SessionNodes.tsx

@@ -96,6 +96,7 @@ const SessionNodes: React.FC<SessionNodesProps> = ({
         type
         service_ports
         user_id
+        access_key
         agent_ids
         ...SessionStatusTagFragment
         ...SessionReservationFragment
@@ -165,6 +166,19 @@ const SessionNodes: React.FC<SessionNodesProps> = ({
               session.type || '',
             ) && !_.isEmpty(JSON.parse(session.service_ports ?? '{}'));
           const isOwner = userInfo?.uuid === session.user_id;
+          // 403 ("Only admins can perform operations on behalf of other
+          // users.") only hits owners on the wrong keypair. Admins acting
+          // on another user's session are permitted, so the gate is
+          // owner-only.
+          const shouldDisableForMismatch =
+            isOwner &&
+            !!session.access_key &&
+            !!baiClient._config.accessKey &&
+            session.access_key !== baiClient._config.accessKey;
+          const mismatchTitle =
+            shouldDisableForMismatch && isActive
+              ? t('session.AccessKeyMismatchTooltip')
+              : undefined;
           return (
             <BAINameActionCell
               title={name}
@@ -177,17 +191,21 @@ const SessionNodes: React.FC<SessionNodesProps> = ({
               actions={filterOutEmpty([
                 session.type !== 'system' && {
                   key: 'appLauncher',
-                  title: t('session.SeeAppDialog'),
+                  title: mismatchTitle ?? t('session.SeeAppDialog'),
                   icon: <BAIAppIcon />,
-                  disabled: !isAppSupported || !isActive || !isOwner,
+                  disabled:
+                    !isAppSupported ||
+                    !isActive ||
+                    !isOwner ||
+                    shouldDisableForMismatch,
                   onClick: () => setAppLauncherTarget(session),
                 },
                 {
                   key: 'terminate',
-                  title: t('session.TerminateSession'),
+                  title: mismatchTitle ?? t('session.TerminateSession'),
                   icon: <PowerOffIcon />,
                   type: 'danger' as const,
-                  disabled: !isActive,
+                  disabled: !isActive || shouldDisableForMismatch,
                   onClick: () => setTerminateTarget(session),
                 },
               ])}