FIX: Do not check for suspicious login when impersonating. (#6534)

* FIX: Do not check for suspicious login when impersonating.

* DEV: Add 'impersonate' parameter to log_on_user.

app/controllers/admin/impersonate_controller.rb

@@ -12,7 +12,7 @@ class Admin::ImpersonateController < Admin::AdminController
     StaffActionLogger.new(current_user).log_impersonate(user)
 
     # Log on as the user
-    log_on_user(user)
+    log_on_user(user, impersonate: true)
 
     render body: nil
   end

app/models/user_auth_token.rb

@@ -61,7 +61,7 @@ class UserAuthToken < ActiveRecord::Base
     ips.none? { |ip| user_location == login_location(ip) }
   end
 
-  def self.generate!(user_id: , user_agent: nil, client_ip: nil, path: nil, staff: nil)
+  def self.generate!(user_id: , user_agent: nil, client_ip: nil, path: nil, staff: nil, impersonate: false)
     token = SecureRandom.hex(16)
     hashed_token = hash_token(token)
     user_auth_token = UserAuthToken.create!(
@@ -82,7 +82,7 @@ class UserAuthToken < ActiveRecord::Base
         path: path,
         auth_token: hashed_token)
 
-    if staff
+    if staff && !impersonate
       Jobs.enqueue(:suspicious_login,
         user_id: user_id,
         client_ip: client_ip,

lib/auth/current_user_provider.rb

@@ -12,7 +12,7 @@ class Auth::CurrentUserProvider
   end
 
   # log on a user and set cookies and session etc.
-  def log_on_user(user, session, cookies)
+  def log_on_user(user, session, cookies, opts = {})
     raise NotImplementedError
   end
 

lib/auth/default_current_user_provider.rb

@@ -149,13 +149,14 @@ class Auth::DefaultCurrentUserProvider
     end
   end
 
-  def log_on_user(user, session, cookies)
+  def log_on_user(user, session, cookies, opts = {})
     @user_token = UserAuthToken.generate!(
       user_id: user.id,
       user_agent: @env['HTTP_USER_AGENT'],
       path: @env['REQUEST_PATH'],
       client_ip: @request.ip,
-      staff: user.staff?)
+      staff: user.staff?,
+      impersonate: opts.impersonate)
 
     cookies[TOKEN_COOKIE] = cookie_hash(@user_token.unhashed_auth_token)
     unstage_user(user)

lib/current_user.rb

@@ -13,8 +13,8 @@ module CurrentUser
     @current_user_provider = Discourse.current_user_provider.new({})
   end
 
-  def log_on_user(user)
-    current_user_provider.log_on_user(user, session, cookies)
+  def log_on_user(user, opts = {})
+    current_user_provider.log_on_user(user, session, cookies, opts)
     user.logged_in
   end
 

spec/models/user_auth_token_spec.rb

@@ -283,4 +283,29 @@ describe UserAuthToken do
     expect(lookup.auth_token_seen).to eq(true)
   end
 
+  context "suspicious login" do
+
+    let(:user) { Fabricate(:user) }
+    let(:admin) { Fabricate(:admin) }
+
+    it "is not checked when generated for non-staff" do
+      UserAuthToken.generate!(user_id: user.id, staff: user.staff?)
+
+      expect(Jobs::SuspiciousLogin.jobs.size).to eq(0)
+    end
+
+    it "is checked when generated for staff" do
+      UserAuthToken.generate!(user_id: admin.id, staff: admin.staff?)
+
+      expect(Jobs::SuspiciousLogin.jobs.size).to eq(1)
+    end
+
+    it "is not checked when generated by impersonate" do
+      UserAuthToken.generate!(user_id: admin.id, staff: admin.staff?, impersonate: true)
+
+      expect(Jobs::SuspiciousLogin.jobs.size).to eq(0)
+    end
+
+  end
+
 end

spec/rails_helper.rb

@@ -187,7 +187,7 @@ RSpec.configure do |config|
   end
 
   class TestCurrentUserProvider < Auth::DefaultCurrentUserProvider
-    def log_on_user(user, session, cookies)
+    def log_on_user(user, session, cookies, opts = {})
       session[:current_user_id] = user.id
       super
     end