leave some notes about a minor race condition

lib/env.js

@@ -89,6 +89,10 @@ module.exports.create = function (config) {
             }
         },
 
+/*  FIXME restrictRegistration is initialized as false and then overridden by admin decree
+    There is a narrow window in which someone could register before the server updates this value.
+    See also the cached 'restrictRegistration' value in server.js#serveConfig
+*/
         restrictRegistration: false,
         allowSubscriptions: config.allowSubscriptions === true,
         blockDailyCheck: config.blockDailyCheck === true,

server.js

@@ -105,7 +105,6 @@ var setHeaders = (function () {
     }
     if (Object.keys(headers).length) {
         return function (req, res) {
-
             // apply a bunch of cross-origin headers for XLSX export in FF and printing elsewhere
             applyHeaderMap(res, {
                 "Cross-Origin-Opener-Policy": /^\/sheet\//.test(req.url)? 'same-origin': '',
@@ -280,7 +279,7 @@ var serveConfig = makeRouteCache(function (host) {
             defaultStorageLimit: Env.defaultStorageLimit,
             maxUploadSize: Env.maxUploadSize,
             premiumUploadSize: Env.premiumUploadSize,
-            restrictRegistration: Env.restrictRegistration,
+            restrictRegistration: Env.restrictRegistration, // FIXME see the race condition in env.js
         }, null, '\t'),
         'obj.httpSafeOrigin = ' + (function () {
             if (config.httpSafeOrigin) { return '"' + config.httpSafeOrigin + '"'; }