fix(auth): allow signup with restricted user record

Author: IniZio

pkg/server/handler/authutil.go

@@ -214,6 +214,7 @@ func (ctx *authUserRecordContext) execute(info *skydb.AuthInfo, authData skydb.A
 			RecordsToSave: []*skydb.Record{
 				&userRecord,
 			},
+			BypassCreationAccess: true,
 		}
 
 		recordResp := recordutil.RecordModifyResponse{

pkg/server/recordutil/recordutil.go

@@ -84,6 +84,9 @@ type RecordModifyRequest struct {
 
 	// Delete Only
 	RecordIDsToDelete []skydb.RecordID
+
+	// Bypass ACL even if it is restricted in _record_creation
+	BypassCreationAccess bool
 }
 
 type RecordModifyResponse struct {
@@ -168,7 +171,7 @@ func (f RecordFetcher) FetchRecord(recordID skydb.RecordID, authInfo *skydb.Auth
 	return
 }
 
-func (f RecordFetcher) FetchOrCreateRecord(recordID skydb.RecordID, authInfo *skydb.AuthInfo) (record skydb.Record, created bool, err skyerr.Error) {
+func (f RecordFetcher) FetchOrCreateRecord(recordID skydb.RecordID, authInfo *skydb.AuthInfo, bypassAccess bool) (record skydb.Record, created bool, err skyerr.Error) {
 	fetchedRecord, err := f.FetchRecord(recordID, authInfo, skydb.WriteLevel)
 	if err == nil {
 		record = *fetchedRecord
@@ -177,6 +180,10 @@ func (f RecordFetcher) FetchOrCreateRecord(recordID skydb.RecordID, authInfo *sk
 
 	if err.Code() == skyerr.ResourceNotFound {
 		allowCreation := func() bool {
+			if bypassAccess {
+				return true
+			}
+
 			if f.withMasterKey {
 				return true
 			}
@@ -231,7 +238,7 @@ func RecordSaveHandler(req *RecordModifyRequest, resp *RecordModifyResponse) sky
 	// fetch records
 	originalRecordMap := map[skydb.RecordID]*skydb.Record{}
 	records = executeRecordFunc(records, resp.ErrMap, func(record *skydb.Record) (err skyerr.Error) {
-		dbRecord, created, err := fetcher.FetchOrCreateRecord(record.ID, req.AuthInfo)
+		dbRecord, created, err := fetcher.FetchOrCreateRecord(record.ID, req.AuthInfo, req.BypassCreationAccess)
 		if err != nil {
 			return err
 		}

pkg/server/skydb/pq/recorddb_test.go

@@ -26,6 +26,10 @@ import (
 	"github.com/skygeario/skygear-server/pkg/server/skydb"
 	"github.com/skygeario/skygear-server/pkg/server/skydb/pq/builder"
 	. "github.com/skygeario/skygear-server/pkg/server/skytest"
+	"github.com/skygeario/skygear-server/pkg/server/authtoken/authtokentest"
+	. "github.com/skygeario/skygear-server/pkg/server/handler"
+	"github.com/skygeario/skygear-server/pkg/server/audit"
+	"github.com/skygeario/skygear-server/pkg/server/router"
 )
 
 func TestGet(t *testing.T) {
@@ -278,6 +282,35 @@ func TestSave(t *testing.T) {
 			So(count, ShouldEqual, 0)
 		})
 
+		Convey("allow sign up new account even when user type access is restricted", func() {
+			tokenStore := authtokentest.SingleTokenStore{}
+			handler := &SignupHandler{
+				TokenStore:      &tokenStore,
+				AuthRecordKeys:  [][]string{[]string{"username"}, []string{"email"}},
+				PasswordChecker: &audit.PasswordChecker{},
+			}
+
+			insertRow(t, c.Db(), `INSERT INTO "_record_creation" ` +
+				`(record_type, role_id) ` +
+				`VALUES ('user', 'Admin')`)
+
+			req := router.Payload{
+				Data: map[string]interface{}{
+					"auth_data": map[string]interface{}{
+						"username": "bilibala",
+						"email":    "bilibala@example.com",
+					},
+					"password": "secret",
+				},
+				DBConn:   c,
+				Database: db,
+			}
+			resp := router.Response{}
+			handler.Handle(&req, &resp)
+
+			So(resp.Result, ShouldHaveSameTypeAs, AuthResponse{})
+		})
+
 		Convey("REGRESSION: update record with attribute having capital letters", func() {
 			_, err := db.Extend("note", skydb.RecordSchema{
 				"noteOrder": skydb.FieldType{Type: skydb.TypeNumber},