FIX: user api should always be available to staff

app/controllers/user_api_keys_controller.rb

@@ -24,7 +24,7 @@ class UserApiKeysController < ApplicationController
       return
     end
 
-    if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
+    unless meets_tl?
       @no_trust_level = true
       return
     end
@@ -53,7 +53,7 @@ class UserApiKeysController < ApplicationController
         raise Discourse::InvalidAccess
     end
 
-    raise Discourse::InvalidAccess if current_user.trust_level < SiteSetting.min_trust_level_for_user_api_key
+    raise Discourse::InvalidAccess unless meets_tl?
 
     request_read = params[:access].include? 'r'
     request_read ||= params[:access].include? 'p'
@@ -142,4 +142,8 @@ class UserApiKeysController < ApplicationController
     OpenSSL::PKey::RSA.new(params[:public_key])
   end
 
+  def meets_tl?
+    current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
+  end
+
 end

spec/controllers/user_api_keys_controller_spec.rb

@@ -66,6 +66,19 @@ TXT
       expect(response.code).to eq("403")
     end
 
+    it "will allow tokens for staff without TL" do
+
+      SiteSetting.min_trust_level_for_user_api_key = 2
+      SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
+
+      user = Fabricate(:user, trust_level: 1, moderator: true)
+
+      log_in_user(user)
+
+      post :create, args
+      expect(response.code).to eq("302")
+    end
+
     it "will not create token unless TL is met" do
       SiteSetting.min_trust_level_for_user_api_key = 2
       SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]