From f55edd54fd3f4f209ae94013c53e8d712decea9c Mon Sep 17 00:00:00 2001
From: Daniel Waterworth <me@danielwaterworth.com>
Date: Tue, 19 Apr 2022 12:33:31 -0500
Subject: [PATCH] FIX: Don't allow DiscourseConnect logins in readonly mode
 (#16508)

---
 app/controllers/session_controller.rb    |  1 +
 spec/requests/session_controller_spec.rb | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 418de7a48d6..caa63596098 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -121,6 +121,7 @@ class SessionController < ApplicationController
   end
 
   def sso_login
+    return render_sso_error(text: I18n.t("read_only_mode_enabled"), status: 503) if @readonly_mode
     raise Discourse::NotFound.new unless SiteSetting.enable_discourse_connect
 
     params.require(:sso)
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index 7c5a9ef2779..f28919e5ed1 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -1112,6 +1112,20 @@ describe SessionController do
         expect(logged_on_user.email).to eq(@user.email)
       end
     end
+
+    context "in readonly mode" do
+      use_redis_snapshotting
+
+      before do
+        Discourse.enable_readonly_mode
+      end
+
+      it "disallows requests" do
+        get "/session/sso_login"
+
+        expect(response.status).to eq(503)
+      end
+    end
   end
 
   describe '#sso_provider' do