FIX: always unstage users when they log in

2025-01-18 13:32:45 +08:00 · 2018-05-13 17:00:02 +02:00 · 2018-05-13 17:00:02 +02:00 · 2cf6fb7359
commit 2cf6fb7359
parent be6404d651
5 changed files with 33 additions and 9 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -125,7 +125,8 @@ class Users::OmniauthCallbacksController < ApplicationController

    # automatically activate/unstage any account if a provider marked the email valid
    if @auth_result.email_valid && @auth_result.email == user.email
-      user.update!(staged: false)
+      user.unstage
+      user.save

      # ensure there is an active email token
      unless EmailToken.where(email: user.email, confirmed: true).exists? ||
--- a/app/models/discourse_single_sign_on.rb
+++ b/app/models/discourse_single_sign_on.rb
@ -57,7 +57,8 @@ class DiscourseSingleSignOn < SingleSignOn
    end

    # ensure it's not staged anymore
-    user.staged = false
+    user.unstage
+    user.save

    # if the user isn't new or it's attached to the SSO record we might be overriding username or email
    unless user.new_record?
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -269,15 +269,18 @@ class User < ActiveRecord::Base
    user
  end

+  def unstage
+    self.staged = false
+    self.custom_fields[FROM_STAGED] = true
+    self.notifications.destroy_all
+    DiscourseEvent.trigger(:user_unstaged, self)
+  end
+
  def self.unstage(params)
    if user = User.where(staged: true).with_email(params[:email].strip.downcase).first
      params.each { |k, v| user.send("#{k}=", v) }
-      user.staged = false
      user.active = false
-      user.custom_fields[FROM_STAGED] = true
-      user.notifications.destroy_all
-
-      DiscourseEvent.trigger(:user_unstaged, user)
+      user.unstage
    end
    user
  end
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -131,7 +131,6 @@ class Auth::DefaultCurrentUserProvider
  end

  def refresh_session(user, session, cookies)
-
    # if user was not loaded, no point refreshing session
    # it could be an anonymous path, this would add cost
    return if is_api? || !@env.key?(CURRENT_USER_KEY)
@ -162,6 +161,7 @@ class Auth::DefaultCurrentUserProvider
                                          client_ip: @request.ip)

    cookies[TOKEN_COOKIE] = cookie_hash(@user_token.unhashed_auth_token)
+    unstage_user(user)
    make_developer_admin(user)
    enable_bootstrap_mode(user)
    @env[CURRENT_USER_KEY] = user
@ -182,6 +182,13 @@ class Auth::DefaultCurrentUserProvider
    hash
  end

+  def unstage_user(user)
+    if user.staged
+      user.unstage
+      user.save
+    end
+  end
+
  def make_developer_admin(user)
    if  user.active? &&
        !user.admin &&
@ -193,11 +200,16 @@ class Auth::DefaultCurrentUserProvider
  end

  def enable_bootstrap_mode(user)
-    Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?
+    return if SiteSetting.bootstrap_mode_enabled
+
+    if user.admin && user.last_seen_at.nil? && user.is_singular_admin?
+      Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id)
+    end
  end

  def log_off_user(session, cookies)
    user = current_user
+
    if SiteSetting.log_out_strict && user
      user.user_auth_tokens.destroy_all

--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -313,6 +313,13 @@ describe Auth::DefaultCurrentUserProvider do
    expect(provider("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token}").current_user).to eq(nil)
  end

+  it "always unstage users" do
+    staged_user = Fabricate(:user, staged: true)
+    provider("/").log_on_user(staged_user, {}, {})
+    staged_user.reload
+    expect(staged_user.staged).to eq(false)
+  end
+
  context "user api" do
    let :user do
      Fabricate(:user)