Restrict podcast task status access by owner

backend/api/podcast/handlers/dubbing.py

@@ -203,7 +203,10 @@ async def create_audio_dubbing_task(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_id = task_manager.create_task("audio_dubbing")
+    task_id = task_manager.create_task(
+        "audio_dubbing",
+        metadata={"owner_user_id": user_id},
+    )
     
     background_tasks.add_task(
         _execute_dubbing_task,
@@ -240,7 +243,7 @@ async def get_dubbing_result(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_status = task_manager.get_task_status(task_id)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
     
     if not task_status:
         raise HTTPException(status_code=404, detail="Task not found")
@@ -403,7 +406,10 @@ async def create_voice_clone_task(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_id = task_manager.create_task("voice_clone")
+    task_id = task_manager.create_task(
+        "voice_clone",
+        metadata={"owner_user_id": user_id},
+    )
     
     background_tasks.add_task(
         _execute_voice_clone_task,
@@ -434,7 +440,7 @@ async def get_voice_clone_result(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_status = task_manager.get_task_status(task_id)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
     
     if not task_status:
         raise HTTPException(status_code=404, detail="Task not found")

backend/api/podcast/handlers/video.py

@@ -222,7 +222,7 @@ def _execute_podcast_video_task(
         )
 
         # Verify the task status was updated correctly
-        updated_status = task_manager.get_task_status(task_id)
+        updated_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
         logger.info(
             f"[Podcast] Task status after update: task_id={task_id}, status={updated_status.get('status') if updated_status else 'None'}, has_result={bool(updated_status.get('result') if updated_status else False)}, video_url={updated_status.get('result', {}).get('video_url') if updated_status else 'N/A'}"
         )
@@ -358,7 +358,10 @@ async def generate_podcast_video(
         logger.warning(f"[Podcast] Failed to extract auth token from headers: {e}")
 
     # Create async task
-    task_id = task_manager.create_task("podcast_video_generation")
+    task_id = task_manager.create_task(
+        "podcast_video_generation",
+        metadata={"owner_user_id": user_id},
+    )
     background_tasks.add_task(
         _execute_podcast_video_task,
         task_id=task_id,
@@ -488,7 +491,10 @@ async def combine_podcast_videos(
         raise HTTPException(status_code=400, detail="No scene videos provided")
     
     # Create async task
-    task_id = task_manager.create_task("podcast_combine_videos")
+    task_id = task_manager.create_task(
+        "podcast_combine_videos",
+        metadata={"owner_user_id": user_id},
+    )
     
     # Extract token for authenticated URL building
     auth_token = None

backend/api/podcast/router.py

@@ -4,7 +4,7 @@ Podcast Maker API Router
 Main router that imports and registers all handler modules.
 """
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException
 from typing import Dict, Any
 
 from middleware.auth_middleware import get_current_user
@@ -32,5 +32,8 @@ router.include_router(dubbing.router)
 @router.get("/task/{task_id}/status")
 async def podcast_task_status(task_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
     """Expose task status under podcast namespace (reuses shared task manager)."""
-    require_authenticated_user(current_user)
-    return task_manager.get_task_status(task_id)
+    user_id = require_authenticated_user(current_user)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
+    if not task_status:
+        raise HTTPException(status_code=404, detail="Task not found")
+    return task_status