fix(config-service): expose inviteOnly on /config/pre-login so INACTIVE users see the registration-request form#5572
Open
aicam wants to merge 5 commits into
Open
Conversation
…sers can read inviteOnly A freshly-registered user is INACTIVE until an admin approves them and therefore cannot reach the @RolesAllowed("REGULAR", "ADMIN") config endpoints. The frontend reads the `inviteOnly` flag at exactly that point to decide whether to show the registration-request form (and notify admins). Since apache#5305 moved /config/user-system behind a role check, the flag became unreachable for the very users it targets, so the form never appeared and no admin notification was sent. Restore @permitAll on /config/user-system. It only exposes the boolean inviteOnly flag, which is non-sensitive and already needed pre-activation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aicam
force-pushed
the
fix/user-system-config-permitall
branch
from
8d3763f to
8e6a1b4
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #5572 +/- ##
=========================================
Coverage 52.42% 52.42%
- Complexity 2481 2482 +1
=========================================
Files 1070 1070
Lines 41359 41363 +4
Branches 4441 4441
=========================================
+ Hits 21682 21686 +4
Misses 18406 18406
Partials 1271 1271
*This pull request uses carry forward flags. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…nfig/user-system The spec pinned /config/user-system as @RolesAllowed (401 without a token). Now that the endpoint is @permitAll, assert it answers anonymous callers with 200 and exposes exactly the inviteOnly flag, while still serving authenticated callers. Mirrors the existing /config/pre-login guard. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
The PR description is not following the PR template. Please fix the PR description. Also, please create an issue and resolve that issue in this PR. Since it is related to user experience, please include screenshots of BEFORE & AFTER. |
bobbai00
previously approved these changes
Jun 9, 2026
Contributor
|
@xuang7 I think this needs to be included in the release v1.2 . Can you review it and decide ? |
Contributor
|
test @aicam |
Yicong-Huang
requested changes
Jun 9, 2026
Yicong-Huang
left a comment
Yicong-Huang
left a comment
Contributor
There was a problem hiding this comment.
please move needed endpoint (e.g., invite-only config) to pre-login which is exposed to all. don't expose all endpoints just because one of the flag needs to be exposed.
aicam
changed the title
aicam
force-pushed
the
fix/user-system-config-permitall
branch
from
c0cf8b7 to
404733b
Compare
A freshly-registered user is INACTIVE and cannot reach the @RolesAllowed config endpoints, yet the frontend reads inviteOnly right after registration to decide whether to show the registration-request form (and notify admins). apache#5305 moved inviteOnly to /config/user-system (@RolesAllowed), making it unreachable for exactly those users. Expose the flag on the already-public @permitAll /config/pre-login instead, without widening any authenticated endpoint. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
aicam
force-pushed
the
fix/user-system-config-permitall
branch
from
404733b to
0f879fb
Compare
Contributor
Author
Thanks, fixed, could you please check again |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
#5305 moved
GET /config/user-systemfrom@PermitAllto@RolesAllowed("REGULAR", "ADMIN"). A freshly-registered user isINACTIVEuntil admin approval, so they cannot reach
@RolesAllowedendpoints — therequest returns 403/401,
inviteOnlyis left undefined on the frontend, theregistration-request form never appears, and no admin notification email is
sent. In invite-only deployments, new sign-ups are silently dropped.
Per review feedback (@Yicong-Huang), instead of re-opening the whole
/config/user-systemendpoint with@PermitAll, this PR exposes only theinviteOnlyboolean on the already-public/config/pre-loginand keeps/config/user-system@RolesAllowed. The frontend already loads/config/pre-loginanonymously during APP_INITIALIZER, soinviteOnlyis nowavailable before activation without widening the authenticated surface.
Any related issues, documentation, discussions?
Resolves #5587
How was this PR tested?
ConfigResourceAuthSpec:/config/pre-loginexposes exactly{localLogin, googleLogin, defaultLocalUser, attributionEnabled, inviteOnly}anonymously;
/config/user-systemreturns 401 +Bearerchallenge without atoken and 200 with a valid Bearer token.
sbt ConfigService/test→ 9 passed.reads
inviteOnly: truefrom/config/pre-login, the registration-requestform appears, and the admin notification email is sent, while
/config/user-systemstill returns 403/401 to anonymous callers.Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Code (Claude Opus 4.8)