Skills: delete owner-scoped skills with owner

The DELETE /api/skills/{skill_id} handler resolves the caller, loads the skill with skills_manager.load(owner=user), and verifies ownership with _verify_owner(match, user) — but then calls skills_manager.delete_skill(match.get("name")) without the owner. SkillsManager.delete_skill filters candidates with `(sk.owner or "") != (owner or "")`, so when owner is None an owner-scoped skill is skipped and the method returns False. The route then raises a spurious 404 "Skill not found" — meaning a logged-in user can never delete their own skills through the API. Pass the resolved owner through to delete_skill so the skill is matched and removed. tests/test_skills_delete_owner.py drops a real owner-scoped SKILL.md on disk and (1) checks the manager directly: delete_skill without owner returns False (regression lock) while delete_skill(owner="alice") returns True and removes the dir; (2) drives the real DELETE route handler and asserts it returns {"ok": True} and deletes the file. The route test fails before this change (404). Real SkillsManager + real filesystem, no mocking.
2026-06-02 18:28:36 +07:00
parent 9389cabed0
commit cd247ed107
2 changed files with 107 additions and 1 deletions
--- a/routes/skills_routes.py
+++ b/routes/skills_routes.py
@@ -1511,7 +1511,7 @@ def setup_skills_routes(skills_manager: SkillsManager) -> APIRouter:
        if not match:
            raise HTTPException(404, "Skill not found")
        _verify_owner(match, user)
-        ok = skills_manager.delete_skill(match.get("name"))
+        ok = skills_manager.delete_skill(match.get("name"), owner=user)
        if not ok:
            raise HTTPException(404, "Skill not found")
        return {"ok": True}
--- a/tests/test_skills_delete_owner.py
+++ b/tests/test_skills_delete_owner.py
@@ -0,0 +1,106 @@
 import os
 import pytest
 import textwrap
 from pathlib import Path
 from fastapi import Request, HTTPException
 from fastapi.datastructures import State
 from services.memory.skills import SkillsManager
 from services.memory.skill_format import slugify
 from routes.skills_routes import setup_skills_routes
 def _write_skill_md(skills_root: Path, category: str, name: str,
                    owner: str, description: str) -> Path:
    """Drop a real SKILL.md on disk for the given owner."""
    skill_dir = skills_root / slugify(category or "general", fallback="general") / name
    skill_dir.mkdir(parents=True, exist_ok=True)
    md = textwrap.dedent(f"""\
        ---
        name: {name}
        description: {description}
        version: 1.0.0
        category: {category}
        tags: []
        status: draft
        confidence: 0.8
        source: learned
        owner: {owner}
        created: 2026-01-01T00:00:00Z
        ---
        # When to use
        test
        # Procedure
        - step 1
        """)
    path = skill_dir / "SKILL.md"
    path.write_text(md, encoding="utf-8")
    return path
 def test_delete_skill_manager_direct_scoping(tmp_path):
    skills_root = tmp_path / "skills"
    skills_root.mkdir(parents=True, exist_ok=True)
    # Create an owner-scoped skill (owner="alice")
    path = _write_skill_md(
        skills_root,
        category="general",
        name="test-skill",
        owner="alice",
        description="test",
    )
    sm = SkillsManager(str(tmp_path))
    # 1. Assert that calling delete_skill without owner returns False (documents the bug/regression lock)
    assert sm.delete_skill("test-skill") is False
    assert path.exists() is True
    # 2. Call the manager exactly as the fixed route does (with owner), assert it returns True and the skill is gone
    assert sm.delete_skill("test-skill", owner="alice") is True
    assert path.exists() is False
@pytest.mark.asyncio
 async def test_delete_skill_route_handler_scoping(tmp_path):
    skills_root = tmp_path / "skills"
    skills_root.mkdir(parents=True, exist_ok=True)
    # Create an owner-scoped skill (owner="alice")
    path = _write_skill_md(
        skills_root,
        category="general",
        name="test-skill",
        owner="alice",
        description="test",
    )
    sm = SkillsManager(str(tmp_path))
    router = setup_skills_routes(sm)
    # Find the delete route handler endpoint
    delete_route_handler = next(
        route.endpoint for route in router.routes
        if route.path == "/api/skills/{skill_id}" and "DELETE" in route.methods
    )
    # Construct a mock FastAPI Request
    class DummyApp:
        state = State()
    app = DummyApp()
    request = Request(scope={
        "type": "http",
        "app": app,
        "state": {
            "current_user": "alice"
        }
    })
    # Before the fix, this raises HTTPException 404 because delete_skill was called without owner.
    # After the fix, it deletes successfully and returns {"ok": True}.
    res = await delete_route_handler(request, "test-skill")
    assert res == {"ok": True}
    assert not path.exists()