FIX: Prevent all kinds of login in readonly mode (#16743)

app/controllers/session_controller.rb

@@ -99,6 +99,7 @@ class SessionController < ApplicationController
     def become
 
       raise Discourse::InvalidAccess if Rails.env.production?
+      raise Discourse::ReadOnly if @readonly_mode
 
       if ENV['DISCOURSE_DEV_ALLOW_ANON_TO_IMPERSONATE'] != "1"
         render(content_type: 'text/plain', inline: <<~TEXT)
@@ -121,8 +122,8 @@ class SessionController < ApplicationController
   end
 
   def sso_login
-    return render_sso_error(text: I18n.t("read_only_mode_enabled"), status: 503) if @readonly_mode
     raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
+    raise Discourse::ReadOnly if @readonly_mode
 
     params.require(:sso)
     params.require(:sig)

app/controllers/users/omniauth_callbacks_controller.rb

@@ -22,6 +22,7 @@ class Users::OmniauthCallbacksController < ApplicationController
   def complete
     auth = request.env["omniauth.auth"]
     raise Discourse::NotFound unless request.env["omniauth.auth"]
+    raise Discourse::ReadOnly if @readonly_mode
 
     auth[:session] = session
 

spec/requests/omniauth_callbacks_controller_spec.rb

@@ -157,6 +157,17 @@ RSpec.describe Users::OmniauthCallbacksController do
       end
     end
 
+    context "in readonly mode" do
+      use_redis_snapshotting
+
+      it "should return a 503" do
+        Discourse.enable_readonly_mode
+
+        get "/auth/google_oauth2/callback"
+        expect(response.code).to eq("503")
+      end
+    end
+
     context "without an `omniauth.auth` env" do
       it "should return a 404" do
         get "/auth/eviltrout/callback"