This is an automated email from the ASF dual-hosted git repository. github-merge-queue[bot] pushed a commit to branch gh-readonly-queue/main/pr-5572-c82d4d1c644b8c6dd822d3d7e4ef39d653f61a81 in repository https://gitbox.apache.org/repos/asf/texera.git
commit 17607c5a99171a636b4fa8336d43b570b0705bc1 Author: ali risheh <[email protected]> AuthorDate: Wed Jun 10 13:39:19 2026 -0700 fix(config-service): expose inviteOnly on /config/pre-login so INACTIVE users see the registration-request form (#5572) ### What changes were proposed in this PR? #5305 moved `GET /config/user-system` from `@PermitAll` to `@RolesAllowed("REGULAR", "ADMIN")`. A freshly-registered user is `INACTIVE` until admin approval, so they cannot reach `@RolesAllowed` endpoints — the request returns 403/401, `inviteOnly` is left undefined on the frontend, the registration-request form never appears, and no admin notification email is sent. In invite-only deployments, new sign-ups are silently dropped. Per review feedback (@Yicong-Huang), instead of re-opening the whole `/config/user-system` endpoint with `@PermitAll`, this PR exposes only the `inviteOnly` boolean on the already-public `/config/pre-login` and keeps `/config/user-system` `@RolesAllowed`. The frontend already loads `/config/pre-login` anonymously during APP_INITIALIZER, so `inviteOnly` is now available before activation without widening the authenticated surface. <!-- BEFORE & AFTER screenshots to be added. --> ### Any related issues, documentation, discussions? Resolves #5587 ### How was this PR tested? - Updated `ConfigResourceAuthSpec`: `/config/pre-login` exposes exactly `{localLogin, googleLogin, defaultLocalUser, attributionEnabled, inviteOnly}` anonymously; `/config/user-system` returns 401 + `Bearer` challenge without a token and 200 with a valid Bearer token. `sbt ConfigService/test` → 9 passed. - Verified live on an invite-only deployment: a fresh INACTIVE registration reads `inviteOnly: true` from `/config/pre-login`, the registration-request form appears, and the admin notification email is sent, while `/config/user-system` still returns 403/401 to anonymous callers. ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Claude Opus 4.8) --------- Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]> --- .../main/scala/org/apache/texera/service/resource/ConfigResource.scala | 3 ++- .../org/apache/texera/service/resource/ConfigResourceAuthSpec.scala | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala b/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala index 2cb951d01e..805ca3cbb5 100644 --- a/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala +++ b/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala @@ -43,7 +43,8 @@ class ConfigResource { "username" -> GuiConfig.guiLoginDefaultLocalUserUsername, "password" -> GuiConfig.guiLoginDefaultLocalUserPassword ), - "attributionEnabled" -> GuiConfig.guiAttributionEnabled + "attributionEnabled" -> GuiConfig.guiAttributionEnabled, + "inviteOnly" -> UserSystemConfig.inviteOnly ) @GET diff --git a/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala b/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala index da91284334..d5418ea0f7 100644 --- a/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala +++ b/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala @@ -100,7 +100,8 @@ class ConfigResourceAuthSpec extends AnyFlatSpec with Matchers with BeforeAndAft "localLogin", "googleLogin", "defaultLocalUser", - "attributionEnabled" + "attributionEnabled", + "inviteOnly" ) }
