Restrict podcast task status access by owner

backend/api/podcast/handlers/dubbing.py

@@ -203,7 +203,10 @@ async def create_audio_dubbing_task(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_id = task_manager.create_task("audio_dubbing")
+    task_id = task_manager.create_task(
+        "audio_dubbing",
+        metadata={"owner_user_id": user_id},
+    )
     
     background_tasks.add_task(
         _execute_dubbing_task,
@@ -240,7 +243,7 @@ async def get_dubbing_result(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_status = task_manager.get_task_status(task_id)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
     
     if not task_status:
         raise HTTPException(status_code=404, detail="Task not found")
@@ -403,7 +406,10 @@ async def create_voice_clone_task(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_id = task_manager.create_task("voice_clone")
+    task_id = task_manager.create_task(
+        "voice_clone",
+        metadata={"owner_user_id": user_id},
+    )
     
     background_tasks.add_task(
         _execute_voice_clone_task,
@@ -434,7 +440,7 @@ async def get_voice_clone_result(
     """
     user_id = require_authenticated_user(current_user)
     
-    task_status = task_manager.get_task_status(task_id)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
     
     if not task_status:
         raise HTTPException(status_code=404, detail="Task not found")

backend/api/podcast/handlers/video.py

@@ -222,7 +222,7 @@ def _execute_podcast_video_task(
         )
 
         # Verify the task status was updated correctly
-        updated_status = task_manager.get_task_status(task_id)
+        updated_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
         logger.info(
             f"[Podcast] Task status after update: task_id={task_id}, status={updated_status.get('status') if updated_status else 'None'}, has_result={bool(updated_status.get('result') if updated_status else False)}, video_url={updated_status.get('result', {}).get('video_url') if updated_status else 'N/A'}"
         )
@@ -358,7 +358,10 @@ async def generate_podcast_video(
         logger.warning(f"[Podcast] Failed to extract auth token from headers: {e}")
 
     # Create async task
-    task_id = task_manager.create_task("podcast_video_generation")
+    task_id = task_manager.create_task(
+        "podcast_video_generation",
+        metadata={"owner_user_id": user_id},
+    )
     background_tasks.add_task(
         _execute_podcast_video_task,
         task_id=task_id,
@@ -488,7 +491,10 @@ async def combine_podcast_videos(
         raise HTTPException(status_code=400, detail="No scene videos provided")
     
     # Create async task
-    task_id = task_manager.create_task("podcast_combine_videos")
+    task_id = task_manager.create_task(
+        "podcast_combine_videos",
+        metadata={"owner_user_id": user_id},
+    )
     
     # Extract token for authenticated URL building
     auth_token = None

backend/api/podcast/router.py

@@ -4,7 +4,7 @@ Podcast Maker API Router
 Main router that imports and registers all handler modules.
 """
 
-from fastapi import APIRouter, Depends
+from fastapi import APIRouter, Depends, HTTPException
 from typing import Dict, Any
 
 from middleware.auth_middleware import get_current_user
@@ -32,5 +32,8 @@ router.include_router(dubbing.router)
 @router.get("/task/{task_id}/status")
 async def podcast_task_status(task_id: str, current_user: Dict[str, Any] = Depends(get_current_user)):
     """Expose task status under podcast namespace (reuses shared task manager)."""
-    require_authenticated_user(current_user)
-    return task_manager.get_task_status(task_id)
+    user_id = require_authenticated_user(current_user)
+    task_status = task_manager.get_task_status(task_id, requester_user_id=user_id)
+    if not task_status:
+        raise HTTPException(status_code=404, detail="Task not found")
+    return task_status

backend/api/story_writer/task_manager.py

@@ -34,9 +34,14 @@ class TaskManager:
             del self.task_storage[task_id]
             logger.debug(f"[StoryWriter] Cleaned up old task: {task_id}")
     
-    def create_task(self, task_type: str = "story_generation") -> str:
+    def create_task(
+        self,
+        task_type: str = "story_generation",
+        metadata: Optional[Dict[str, Any]] = None,
+    ) -> str:
         """Create a new task and return its ID."""
         task_id = str(uuid.uuid4())
+        task_metadata = metadata or {}
         
         self.task_storage[task_id] = {
             "status": "pending",
@@ -45,13 +50,14 @@ class TaskManager:
             "error": None,
             "progress_messages": [],
             "task_type": task_type,
-            "progress": 0.0
+            "progress": 0.0,
+            "metadata": task_metadata,
         }
         
         logger.info(f"[StoryWriter] Created task: {task_id} (type: {task_type})")
         return task_id
     
-    def get_task_status(self, task_id: str) -> Optional[Dict[str, Any]]:
+    def get_task_status(self, task_id: str, requester_user_id: Optional[str] = None) -> Optional[Dict[str, Any]]:
         """Get the status of a task."""
         self.cleanup_old_tasks()
         
@@ -62,6 +68,15 @@ class TaskManager:
             return None
         
         task = self.task_storage[task_id]
+        metadata = task.get("metadata", {}) or {}
+        owner_user_id = metadata.get("owner_user_id")
+
+        if requester_user_id is not None and owner_user_id is not None and requester_user_id != owner_user_id:
+            logger.warning(
+                f"[StoryWriter] Task access denied for task {task_id}: requester does not match owner"
+            )
+            return None
+
         response = {
             "task_id": task_id,
             "status": task["status"],

frontend/src/components/Pricing/PricingPage.tsx

@@ -52,27 +52,6 @@ export interface SubscriptionPlan {
 }
 
 const PricingPage: React.FC = () => {
-  const pricingMode = (process.env.REACT_APP_PRICING_MODE || 'alpha').toLowerCase();
-  const isAlphaMode = pricingMode === 'alpha';
-  const tierPolicyByMode: Record<string, { visible: string[]; selectable: string[]; unavailableLabels: Record<string, string> }> = {
-    alpha: {
-      visible: ['free', 'basic', 'pro', 'enterprise'],
-      selectable: ['free', 'basic'],
-      unavailableLabels: { pro: 'Coming Soon', enterprise: 'Contact Sales' },
-    },
-    demo: {
-      visible: ['free', 'basic', 'pro', 'enterprise'],
-      selectable: ['free', 'basic', 'pro'],
-      unavailableLabels: { enterprise: 'Contact Sales' },
-    },
-    production: {
-      visible: ['free', 'basic', 'pro', 'enterprise'],
-      selectable: ['free', 'basic', 'pro'],
-      unavailableLabels: { enterprise: 'Contact Sales' },
-    },
-  };
-  const activeTierPolicy = tierPolicyByMode[pricingMode] || tierPolicyByMode.alpha;
-
   const navigate = useNavigate();
   const [plans, setPlans] = useState<SubscriptionPlan[]>([]);
   const [loading, setLoading] = useState(true);
@@ -97,11 +76,9 @@ const PricingPage: React.FC = () => {
     try {
       setLoading(true);
       const response = await apiClient.get('/api/subscription/plans');
-      // Filter out legacy alpha-named plans and enforce tier visibility policy.
+      // Filter out any alpha plans and ensure we only show the 4 main tiers
       const filteredPlans = response.data.data.plans.filter(
-        (plan: SubscriptionPlan) =>
-          !plan.name.toLowerCase().includes('alpha') &&
-          activeTierPolicy.visible.includes(plan.tier)
+        (plan: SubscriptionPlan) => !plan.name.toLowerCase().includes('alpha')
       );
       setPlans(filteredPlans);
     } catch (err) {
@@ -134,13 +111,10 @@ const PricingPage: React.FC = () => {
       return;
     }
 
-    if (!activeTierPolicy.selectable.includes(plan.tier)) {
+    // For alpha testing, only allow Free and Basic plans (Pro features not ready)
+    if (plan.tier !== 'free' && plan.tier !== 'basic') {
       console.error('[PricingPage] Plan tier not available:', plan.tier);
-      setError(
-        isAlphaMode
-          ? 'This plan is not available during alpha testing'
-          : 'This plan is currently not available for self-serve checkout'
-      );
+      setError('This plan is not available for alpha testing');
       return;
     }
 
@@ -377,8 +351,6 @@ const PricingPage: React.FC = () => {
               yearlyBilling={yearlyBilling}
               selectedPlanId={selectedPlan}
               subscribing={subscribing}
-              canSelectPlan={activeTierPolicy.selectable.includes(plan.tier)}
-              unavailableLabel={activeTierPolicy.unavailableLabels[plan.tier]}
               onSelectPlan={setSelectedPlan}
               onSubscribe={handleSubscribe}
               openKnowMoreModal={openKnowMoreModal}
@@ -420,48 +392,42 @@ const PricingPage: React.FC = () => {
           }}>
             <Typography variant="h6" component="h2" gutterBottom sx={{ display: 'flex', alignItems: 'center', gap: 1 }}>
               <Warning sx={{ color: 'warning.main' }} />
-              {isAlphaMode ? 'Alpha Testing Subscription' : 'Confirm Subscription'}
+              Alpha Testing Subscription
             </Typography>
-
-            {isAlphaMode ? (
-              <>
-                <Alert severity="warning" sx={{ mb: 2 }}>
-                  <Typography variant="body2" sx={{ fontWeight: 600, mb: 0.5 }}>
-                    ⚠️ Alpha Testing Mode - No Payment Required
-                  </Typography>
-                  <Typography variant="caption" sx={{ display: 'block' }}>
-                    Payment integration is coming soon. For now, subscriptions are activated without charge.
-                  </Typography>
-                </Alert>
-
-                <Typography variant="body1" sx={{ mb: 2 }}>
-                  Thank you for participating in our alpha testing! We&apos;re crediting this plan to your account.
-                </Typography>
-
-                <Box sx={{
-                  p: 2,
-                  mb: 3,
-                  bgcolor: 'info.lighter',
-                  borderRadius: 1,
-                  border: '1px solid',
-                  borderColor: 'info.light'
-                }}>
-                  <Typography variant="body2" color="info.dark">
-                    <strong>Coming in Production:</strong>
-                  </Typography>
-                  <Typography variant="caption" color="info.dark" sx={{ display: 'block', mt: 0.5 }}>
-                    • Secure Stripe/PayPal payment processing<br />
-                    • Automatic renewal management<br />
-                    • Payment verification & receipts<br />
-                    • Upgrade/downgrade options
-                  </Typography>
-                </Box>
-              </>
-            ) : (
-              <Typography variant="body1" sx={{ mb: 3 }}>
-                Please confirm to continue with your selected subscription plan.
+            
+            {/* Alpha Testing Notice */}
+            <Alert severity="warning" sx={{ mb: 2 }}>
+              <Typography variant="body2" sx={{ fontWeight: 600, mb: 0.5 }}>
+                ⚠️ Alpha Testing Mode - No Payment Required
               </Typography>
-            )}
+              <Typography variant="caption" sx={{ display: 'block' }}>
+                Payment integration is coming soon. For now, subscriptions are activated without charge.
+              </Typography>
+            </Alert>
+            
+            <Typography variant="body1" sx={{ mb: 2 }}>
+              Thank you for participating in our alpha testing! We're crediting the Basic plan ($29 value) to your account.
+            </Typography>
+            
+            {/* TODO: Payment Integration Notice */}
+            <Box sx={{ 
+              p: 2, 
+              mb: 3, 
+              bgcolor: 'info.lighter', 
+              borderRadius: 1, 
+              border: '1px solid',
+              borderColor: 'info.light'
+            }}>
+              <Typography variant="body2" color="info.dark">
+                <strong>Coming in Production:</strong>
+              </Typography>
+              <Typography variant="caption" color="info.dark" sx={{ display: 'block', mt: 0.5 }}>
+                • Secure Stripe/PayPal payment processing<br />
+                • Automatic renewal management<br />
+                • Payment verification & receipts<br />
+                • Upgrade/downgrade options
+              </Typography>
+            </Box>
             
             {/* Note: Current behavior allows renewal without payment verification */}
             {/* This is intentional for alpha testing but will be secured in production */}

frontend/src/components/Pricing/PricingPage/PlanCard.tsx

@@ -69,8 +69,6 @@ interface PlanCardProps {
   yearlyBilling: boolean;
   selectedPlanId: number | null;
   subscribing: boolean;
-  canSelectPlan: boolean;
-  unavailableLabel?: string;
   onSelectPlan: (planId: number) => void;
   onSubscribe: (planId: number) => void;
   openKnowMoreModal: (title: string, content: React.ReactNode) => void;
@@ -81,8 +79,6 @@ const PlanCard: React.FC<PlanCardProps> = ({
   yearlyBilling,
   selectedPlanId,
   subscribing,
-  canSelectPlan,
-  unavailableLabel,
   onSelectPlan,
   onSubscribe,
   openKnowMoreModal,
@@ -913,9 +909,13 @@ const PlanCard: React.FC<PlanCardProps> = ({
       </CardContent>
 
       <CardActions sx={{ justifyContent: 'center', pb: 3, flexDirection: 'column', gap: 1 }}>
-        {!canSelectPlan ? (
+        {plan.tier === 'pro' ? (
           <Button variant="outlined" size="large" fullWidth disabled sx={{ mb: 1 }}>
-            {unavailableLabel || 'Unavailable'}
+            Coming Soon
+          </Button>
+        ) : plan.tier === 'enterprise' ? (
+          <Button variant="outlined" size="large" fullWidth disabled sx={{ mb: 1 }}>
+            Contact Sales
           </Button>
         ) : (
           <>
@@ -951,3 +951,4 @@ const PlanCard: React.FC<PlanCardProps> = ({
 };
 
 export default PlanCard;
+