From 2cf6fb7359a8ad6ea9ee7b33ce645eece50ece44 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Sun, 13 May 2018 17:00:02 +0200
Subject: [PATCH] FIX: always unstage users when they log in

---
 .../users/omniauth_callbacks_controller.rb       |  3 ++-
 app/models/discourse_single_sign_on.rb           |  3 ++-
 app/models/user.rb                               | 13 ++++++++-----
 lib/auth/default_current_user_provider.rb        | 16 ++++++++++++++--
 .../auth/default_current_user_provider_spec.rb   |  7 +++++++
 5 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index c8edddf65b9..3341ff44f40 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -125,7 +125,8 @@ class Users::OmniauthCallbacksController < ApplicationController
 
     # automatically activate/unstage any account if a provider marked the email valid
     if @auth_result.email_valid && @auth_result.email == user.email
-      user.update!(staged: false)
+      user.unstage
+      user.save
 
       # ensure there is an active email token
       unless EmailToken.where(email: user.email, confirmed: true).exists? ||
diff --git a/app/models/discourse_single_sign_on.rb b/app/models/discourse_single_sign_on.rb
index 80c1f56dcf6..9cc89bbcdc1 100644
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@@ -57,7 +57,8 @@ class DiscourseSingleSignOn < SingleSignOn
     end
 
     # ensure it's not staged anymore
-    user.staged = false
+    user.unstage
+    user.save
 
     # if the user isn't new or it's attached to the SSO record we might be overriding username or email
     unless user.new_record?
diff --git a/app/models/user.rb b/app/models/user.rb
index c541bf26caf..d46bd6a8439 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -269,15 +269,18 @@ class User < ActiveRecord::Base
     user
   end
 
+  def unstage
+    self.staged = false
+    self.custom_fields[FROM_STAGED] = true
+    self.notifications.destroy_all
+    DiscourseEvent.trigger(:user_unstaged, self)
+  end
+
   def self.unstage(params)
     if user = User.where(staged: true).with_email(params[:email].strip.downcase).first
       params.each { |k, v| user.send("#{k}=", v) }
-      user.staged = false
       user.active = false
-      user.custom_fields[FROM_STAGED] = true
-      user.notifications.destroy_all
-
-      DiscourseEvent.trigger(:user_unstaged, user)
+      user.unstage
     end
     user
   end
diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index bf837c3d56d..4d7521046c8 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -131,7 +131,6 @@ class Auth::DefaultCurrentUserProvider
   end
 
   def refresh_session(user, session, cookies)
-
     # if user was not loaded, no point refreshing session
     # it could be an anonymous path, this would add cost
     return if is_api? || !@env.key?(CURRENT_USER_KEY)
@@ -162,6 +161,7 @@ class Auth::DefaultCurrentUserProvider
                                           client_ip: @request.ip)
 
     cookies[TOKEN_COOKIE] = cookie_hash(@user_token.unhashed_auth_token)
+    unstage_user(user)
     make_developer_admin(user)
     enable_bootstrap_mode(user)
     @env[CURRENT_USER_KEY] = user
@@ -182,6 +182,13 @@ class Auth::DefaultCurrentUserProvider
     hash
   end
 
+  def unstage_user(user)
+    if user.staged
+      user.unstage
+      user.save
+    end
+  end
+
   def make_developer_admin(user)
     if  user.active? &&
         !user.admin &&
@@ -193,11 +200,16 @@ class Auth::DefaultCurrentUserProvider
   end
 
   def enable_bootstrap_mode(user)
-    Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?
+    return if SiteSetting.bootstrap_mode_enabled
+
+    if user.admin && user.last_seen_at.nil? && user.is_singular_admin?
+      Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id)
+    end
   end
 
   def log_off_user(session, cookies)
     user = current_user
+
     if SiteSetting.log_out_strict && user
       user.user_auth_tokens.destroy_all
 
diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb
index a66d0d9f771..75a76ef27a1 100644
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@@ -313,6 +313,13 @@ describe Auth::DefaultCurrentUserProvider do
     expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user).to eq(nil)
   end
 
+  it "always unstage users" do
+    staged_user = Fabricate(:user, staged: true)
+    provider("/").log_on_user(staged_user, {}, {})
+    staged_user.reload
+    expect(staged_user.staged).to eq(false)
+  end
+
   context "user api" do
     let :user do
       Fabricate(:user)