FIX: Allow email login for admins in staff-writes-only-mode (#18443)

app/controllers/session_controller.rb

@@ -11,6 +11,7 @@ class SessionController < ApplicationController
   requires_login only: [:second_factor_auth_show, :second_factor_auth_perform]
 
   allow_in_staff_writes_only_mode :create
+  allow_in_staff_writes_only_mode :email_login
 
   ACTIVATE_USER_KEY = "activate_user"
 
@@ -375,6 +376,7 @@ class SessionController < ApplicationController
       elsif payload = login_error_check(user)
         return render json: payload
       else
+        raise Discourse::ReadOnly if staff_writes_only_mode? && !user&.staff?
         user.update_timezone_if_missing(params[:timezone])
         log_on_user(user)
         return render json: success_json

app/controllers/users_controller.rb

@@ -52,6 +52,7 @@ class UsersController < ApplicationController
   after_action :add_noindex_header, only: [:show, :my_redirect]
 
   allow_in_staff_writes_only_mode :admin_login
+  allow_in_staff_writes_only_mode :email_login
 
   MAX_RECENT_SEARCHES = 5
 

spec/requests/session_controller_spec.rb

@@ -129,6 +129,27 @@ RSpec.describe SessionController do
       SiteSetting.enable_local_logins_via_email = true
     end
 
+    context "when in staff writes only mode" do
+      use_redis_snapshotting
+
+      before do
+        Discourse.enable_readonly_mode(Discourse::STAFF_WRITES_ONLY_MODE_KEY)
+      end
+
+      it "allows admins to login" do
+        user.update!(admin: true)
+        post "/session/email-login/#{email_token.token}.json"
+        expect(response.status).to eq(200)
+        expect(session[:current_user_id]).to eq(user.id)
+      end
+
+      it "does not allow other users to login" do
+        post "/session/email-login/#{email_token.token}.json"
+        expect(response.status).to eq(503)
+        expect(session[:current_user_id]).to eq(nil)
+      end
+    end
+
     context "when local logins via email disabled" do
       before { SiteSetting.enable_local_logins_via_email = false }