From eb32651c67e118085d9a9eb0fff896a506d21907 Mon Sep 17 00:00:00 2001
From: ansuz <ansuz@transitiontech.ca>
Date: Wed, 5 May 2021 12:07:45 +0530
Subject: [PATCH] leave some notes about a minor race condition

---
 lib/env.js | 4 ++++
 server.js  | 3 +--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/env.js b/lib/env.js
index b3ed7cf35..389f059f6 100644
--- a/lib/env.js
+++ b/lib/env.js
@@ -89,6 +89,10 @@ module.exports.create = function (config) {
             }
         },
 
+/*  FIXME restrictRegistration is initialized as false and then overridden by admin decree
+    There is a narrow window in which someone could register before the server updates this value.
+    See also the cached 'restrictRegistration' value in server.js#serveConfig
+*/
         restrictRegistration: false,
         allowSubscriptions: config.allowSubscriptions === true,
         blockDailyCheck: config.blockDailyCheck === true,
diff --git a/server.js b/server.js
index 978070b01..3a71f83b8 100644
--- a/server.js
+++ b/server.js
@@ -105,7 +105,6 @@ var setHeaders = (function () {
     }
     if (Object.keys(headers).length) {
         return function (req, res) {
-
             // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
             applyHeaderMap(res, {
                 "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
@@ -280,7 +279,7 @@ var serveConfig = makeRouteCache(function (host) {
             defaultStorageLimit: Env.defaultStorageLimit,
             maxUploadSize: Env.maxUploadSize,
             premiumUploadSize: Env.premiumUploadSize,
-            restrictRegistration: Env.restrictRegistration,
+            restrictRegistration: Env.restrictRegistration, // FIXME see the race condition in env.js
         }, null, '\t'),
         'obj.httpSafeOrigin = ' + (function () {
             if (config.httpSafeOrigin) { return '"' + config.httpSafeOrigin + '"'; }