This is an automated email from the ASF dual-hosted git repository.
github-merge-queue[bot] pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/texera.git
The following commit(s) were added to refs/heads/main by this push:
new 17607c5a99 fix(config-service): expose inviteOnly on /config/pre-login
so INACTIVE users see the registration-request form (#5572)
17607c5a99 is described below
commit 17607c5a99171a636b4fa8336d43b570b0705bc1
Author: ali risheh <[email protected]>
AuthorDate: Wed Jun 10 13:39:19 2026 -0700
fix(config-service): expose inviteOnly on /config/pre-login so INACTIVE
users see the registration-request form (#5572)
### What changes were proposed in this PR?
#5305 moved `GET /config/user-system` from `@PermitAll` to
`@RolesAllowed("REGULAR", "ADMIN")`. A freshly-registered user is
`INACTIVE`
until admin approval, so they cannot reach `@RolesAllowed` endpoints —
the
request returns 403/401, `inviteOnly` is left undefined on the frontend,
the
registration-request form never appears, and no admin notification email
is
sent. In invite-only deployments, new sign-ups are silently dropped.
Per review feedback (@Yicong-Huang), instead of re-opening the whole
`/config/user-system` endpoint with `@PermitAll`, this PR exposes only
the
`inviteOnly` boolean on the already-public `/config/pre-login` and keeps
`/config/user-system` `@RolesAllowed`. The frontend already loads
`/config/pre-login` anonymously during APP_INITIALIZER, so `inviteOnly`
is now
available before activation without widening the authenticated surface.
<!-- BEFORE & AFTER screenshots to be added. -->
### Any related issues, documentation, discussions?
Resolves #5587
### How was this PR tested?
- Updated `ConfigResourceAuthSpec`: `/config/pre-login` exposes exactly
`{localLogin, googleLogin, defaultLocalUser, attributionEnabled,
inviteOnly}`
anonymously; `/config/user-system` returns 401 + `Bearer` challenge
without a
token and 200 with a valid Bearer token. `sbt ConfigService/test` → 9
passed.
- Verified live on an invite-only deployment: a fresh INACTIVE
registration
reads `inviteOnly: true` from `/config/pre-login`, the
registration-request
form appears, and the admin notification email is sent, while
`/config/user-system` still returns 403/401 to anonymous callers.
### Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Code (Claude Opus 4.8)
---------
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
---
.../main/scala/org/apache/texera/service/resource/ConfigResource.scala | 3 ++-
.../org/apache/texera/service/resource/ConfigResourceAuthSpec.scala | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git
a/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala
b/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala
index 2cb951d01e..805ca3cbb5 100644
---
a/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala
+++
b/config-service/src/main/scala/org/apache/texera/service/resource/ConfigResource.scala
@@ -43,7 +43,8 @@ class ConfigResource {
"username" -> GuiConfig.guiLoginDefaultLocalUserUsername,
"password" -> GuiConfig.guiLoginDefaultLocalUserPassword
),
- "attributionEnabled" -> GuiConfig.guiAttributionEnabled
+ "attributionEnabled" -> GuiConfig.guiAttributionEnabled,
+ "inviteOnly" -> UserSystemConfig.inviteOnly
)
@GET
diff --git
a/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala
b/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala
index da91284334..d5418ea0f7 100644
---
a/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala
+++
b/config-service/src/test/scala/org/apache/texera/service/resource/ConfigResourceAuthSpec.scala
@@ -100,7 +100,8 @@ class ConfigResourceAuthSpec extends AnyFlatSpec with
Matchers with BeforeAndAft
"localLogin",
"googleLogin",
"defaultLocalUser",
- "attributionEnabled"
+ "attributionEnabled",
+ "inviteOnly"
)
}
