From 563ec624b2dcf497323e6b727cda9625fcf7a365 Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Fri, 30 Sep 2022 14:12:49 -0500
Subject: [PATCH] FIX: Allow email login for admins in staff-writes-only-mode
 (#18443)

---
 app/controllers/session_controller.rb    |  2 ++
 app/controllers/users_controller.rb      |  1 +
 spec/requests/session_controller_spec.rb | 21 +++++++++++++++++++++
 3 files changed, 24 insertions(+)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index be2535241f6..68d8a367a82 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -11,6 +11,7 @@ class SessionController < ApplicationController
   requires_login only: [:second_factor_auth_show, :second_factor_auth_perform]
 
   allow_in_staff_writes_only_mode :create
+  allow_in_staff_writes_only_mode :email_login
 
   ACTIVATE_USER_KEY = "activate_user"
 
@@ -375,6 +376,7 @@ class SessionController < ApplicationController
       elsif payload = login_error_check(user)
         return render json: payload
       else
+        raise Discourse::ReadOnly if staff_writes_only_mode? && !user&.staff?
         user.update_timezone_if_missing(params[:timezone])
         log_on_user(user)
         return render json: success_json
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 255da241f90..a28716270e5 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -52,6 +52,7 @@ class UsersController < ApplicationController
   after_action :add_noindex_header, only: [:show, :my_redirect]
 
   allow_in_staff_writes_only_mode :admin_login
+  allow_in_staff_writes_only_mode :email_login
 
   MAX_RECENT_SEARCHES = 5
 
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index adebaface7f..cadac9ece96 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -129,6 +129,27 @@ RSpec.describe SessionController do
       SiteSetting.enable_local_logins_via_email = true
     end
 
+    context "when in staff writes only mode" do
+      use_redis_snapshotting
+
+      before do
+        Discourse.enable_readonly_mode(Discourse::STAFF_WRITES_ONLY_MODE_KEY)
+      end
+
+      it "allows admins to login" do
+        user.update!(admin: true)
+        post "/session/email-login/#{email_token.token}.json"
+        expect(response.status).to eq(200)
+        expect(session[:current_user_id]).to eq(user.id)
+      end
+
+      it "does not allow other users to login" do
+        post "/session/email-login/#{email_token.token}.json"
+        expect(response.status).to eq(503)
+        expect(session[:current_user_id]).to eq(nil)
+      end
+    end
+
     context "when local logins via email disabled" do
       before { SiteSetting.enable_local_logins_via_email = false }