fix(studio): enforce role-aware catalog scope

aisbf/routes/dashboard/providers.py

@@ -264,7 +264,7 @@ async def dashboard_studio_catalog(request: Request):
         return JSONResponse({"entries": [], "error": "unauthorized"}, status_code=401)
 
     current_user_id = request.session.get("user_id")
-    scope = "admin" if current_user_id is None else "user"
+    scope = "admin" if request.session.get("role") == "admin" else "user"
     db = None if scope == "admin" else DatabaseRegistry.get_config_database()
 
     catalog = build_studio_catalog(

tests/routes/test_dashboard_studio.py

@@ -142,6 +142,36 @@ def test_dashboard_studio_catalog_returns_user_resources_for_user(monkeypatch):
     }
 
 
+def test_dashboard_studio_catalog_does_not_treat_user_role_without_user_id_as_admin(monkeypatch):
+    client = TestClient(app)
+    _set_session_cookie(
+        client,
+        {
+            "logged_in": True,
+            "username": "demo",
+            "role": "user",
+            "user_id": None,
+            "expires_at": 4102444800,
+        },
+    )
+
+    monkeypatch.setattr(
+        dashboard_providers,
+        "build_studio_catalog",
+        lambda **kwargs: {
+            "scope": kwargs["scope"],
+            "owner_id": kwargs["owner_id"],
+            "entries": [],
+        },
+    )
+
+    response = client.get("/dashboard/studio/catalog")
+
+    assert response.status_code == 200
+    assert response.json()["scope"] == "user"
+    assert response.json()["owner_id"] is None
+
+
 def test_build_studio_catalog_uses_global_config_for_admin_scope():
     class ModelStub:
         def __init__(self, name, description=None, capabilities=None, context_length=None, architecture=None):