From a4c23cd89f0037960998ffd46da7f410ba16f190 Mon Sep 17 00:00:00 2001
From: Milan Cvetkovic <mcvetkovic@microsoft.com>
Date: Thu, 14 Dec 2023 14:45:20 +0000
Subject: [PATCH] Implement allow list for account creation

---
 app/controllers/users_controller.rb |  2 ++
 app/models/acl.rb                   |  9 +++++++++
 test/models/acl_test.rb             | 13 +++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f79c284e3e..961be40246 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -355,6 +355,8 @@ def check_signup_allowed(email = nil)
                    domain_mx_servers(domain)
                  end
 
+    return true if Acl.allow_account_creation(request.remote_ip, :domain => domain, :mx => mx_servers)
+
     blocked = Acl.no_account_creation(request.remote_ip, :domain => domain, :mx => mx_servers)
 
     blocked ||= SIGNUP_IP_LIMITER && !SIGNUP_IP_LIMITER.allow?(request.remote_ip)
diff --git a/app/models/acl.rb b/app/models/acl.rb
index a65c3a35ad..26285cef38 100644
--- a/app/models/acl.rb
+++ b/app/models/acl.rb
@@ -41,6 +41,15 @@ def self.no_account_creation(address, options = {})
     match(address, options).exists?(:k => "no_account_creation")
   end
 
+  def self.allow_account_creation(address, options = {})
+    acls = Acl.where("address >>= ?", address)
+              .and(Acl.where(:k => "allow_account_creation"))
+    acls = acls.and(Acl.where(:domain => options[:domain])) if options[:domain]
+    acls = acls.and(Acl.where(:mx => options[:mx])) if options[:mx]
+
+    !acls.empty?
+  end
+
   def self.no_note_comment(address, domain = nil)
     match(address, :domain => domain).exists?(:k => "no_note_comment")
   end
diff --git a/test/models/acl_test.rb b/test/models/acl_test.rb
index 88d1c0e7d0..33601df2b6 100644
--- a/test/models/acl_test.rb
+++ b/test/models/acl_test.rb
@@ -27,4 +27,17 @@ def test_no_account_creation_by_mx
     create(:acl, :mx => "mail.example.com", :k => "no_account_creation")
     assert Acl.no_account_creation("192.168.1.1", :mx => "mail.example.com")
   end
+
+  def test_allowed_account_creation
+    assert_not Acl.allow_account_creation("192.168.1.1", :domain => "example.com", :mx => "mail.example.com")
+    create(:acl, :address => "192.168.1.1", :domain => "example.com", :mx => "mail.example.com", :k => "allow_account_creation")
+
+    assert_not Acl.allow_account_creation("192.168.1.2")
+    assert Acl.allow_account_creation("192.168.1.1")
+
+    assert_not Acl.allow_account_creation("192.168.1.2", :domain => "example.com", :mx => "mail.example.com")
+    assert_not Acl.allow_account_creation("192.168.1.1", :domain => "example1.com", :mx => "mail.example.com")
+    assert_not Acl.allow_account_creation("192.168.1.1", :domain => "example.com", :mx => "mail1.example.com")
+    assert Acl.allow_account_creation("192.168.1.1", :domain => "example.com", :mx => "mail.example.com")
+  end
 end