Should a deactivated user receive an email?

benjamincfarmer · May 9, 2025, 5:44pm

I am searching for a way to force an email revalidation of users. I saw
, in the user page and did a test. When attempting to log in the test gave me a response of

but no email to that address to re-validate, only change.

Should the Deactivated user have received an email alerting them that they need to revalidate?

JammyDodger · May 10, 2025, 6:03am

When you manually deactivate a user it doesn’t automatically send an email asking them to revalidate, though you can press the button that appears in their user/admin page to resend one.

When an inactive account attempts to login they should be prompted with a screen like this where they can choose to have a fresh one sent:

I’m not sure why your screenshot seems to be missing that option? Could it be some custom code you’ve added to hide a particular button that has also accidentally hidden this one? Does it show up in safe mode?

Edit: After a little bit of digging, I think it’s the must approve users setting that makes the box disappear. When I enable that I no longer get the option showing up:

I’m not 100% sure that’s intentional.

JammyDodger · May 10, 2025, 8:00am

It does seem intentional:

Though it does also break the revalidation flow for manually deactivating users so it still feels like a bug.

I’ll slide it over to Bug and see if someone more knowledgable can adjudicate.

sam · May 11, 2025, 11:17pm

To recap:

The community is invite only and every new member must be approved by staff
You want to force email re-validation on some users.
Given must_approve_users is invite_only and login_required the option for re-sending activation email is missing.

Some observations:

the interplay of the 3 settings is a bit confusing. Why would you want must_approve_users if you are already an invite_only community?
must_approve_users blocking email approval is somewhat confusing, we should revisit.

Leaving this with the staff-experience team to triage. Expect a response this week.

@benjamincfarmer does it make sense to try must_approve_users off on your community given it is already invite only?

Moin · May 11, 2025, 11:26pm

How is invite only connected to this?

When I disable a user, the resend activation email button is missing because must approve users is enabled. Invite only isn’t enabled on my forum.

github.com/discourse/discourse

app/assets/javascripts/discourse/app/components/activation-controls.gjs

eff31e0d4


      
          @service siteSettings;
          
          get canEditEmail() {
            return (
              this.siteSettings.enable_local_logins || this.siteSettings.email_editable
            );
          }
          
          <template>
            <div class="activation-controls">
              {{#unless this.siteSettings.must_approve_users}}
                <DButton
                  @action={{@sendActivationEmail}}
                  @label="login.resend_title"
                  @icon="envelope"
                  class="btn-primary resend"
                />
              {{/unless}}
          
              {{#if this.canEditEmail}}
                <DButton

sam · May 11, 2025, 11:31pm

Yeah I agree it is unrelated, but the particular forum in question does not appear to need must approve users cause it is invite only anyway.

Moin · May 11, 2025, 11:36pm

I can understand that you use both, so users with a certain trust level can invite others, but staff can still control who joins the community. I would expect fewer sign-ups by spammers, so less work for staff.

sam · May 11, 2025, 11:47pm

The context for the change appears to be:

So “must approve users” relies on “admins” to actually do the email validation.

My gut here is that the change to fix is rather complex.

Must approve users - should only get users that have validated emails
Hence even if this setting is enabled we should validate emails first prior to passing on users to admins

Which would be a major rework of this feature. Not against this by any means but it feels somewhat complex.

Moin · May 12, 2025, 12:31am

That topic was created in September 2017.

This was committed in May, so before the topic was created.

Isn’t that the case?
When I sign up a new user:

I fill in the registration form

Screenshot_20250512_022217_Firefox855×679 50.7 KB
Then I am asked to validate the email address

Screenshot_20250512_021653_Firefox1068×555 94.4 KB
When I open the link sent by email, I click to activate the account

Screenshot_20250512_021724_Firefox1024×440 49.3 KB
I am told that I need to wait for staff to review my registration.

Screenshot_20250512_021734_Firefox1051×687 115 KB

At this point, the sign-up appears in the review queue, and staff can approve the user, who then receives the email that they can log in.

Screenshot_20250512_021814_Firefox1268×960 120 KB

benjamincfarmer · May 12, 2025, 1:13am

The root desire of account deactivation was to prune accounts of individuals who no longer have access to their original sign-up email address. After observing that you can move the account to a new address when the account is deactivated I’ve realized that this wouldn’t provide the effect we were looking for anyways.

Sorry for kicking the beehive @sam

Our forum is being used to provide support to our sales agencies. If one of these employees leaves, and goes to a competitor, we want to remove them from the system. Feedback from the agency would be the best way to do this, if I had faith they would tell me.

kris.kotlarek · May 27, 2025, 7:29am

Thank you for explaining the problem. One option would be deleting the user, but I assume you would like to keep old posts.

The second option would be to anonymize the user. That would prevent them from logging in again, and you will keep all conversations (under an anonymized username).

However, if you would like to keep their original username, we would need to develop a new button called “disapprove.” We would place it here:

If a “disapproved” user tries to log in, they would see this screen:

Would the anonymize feature work for you? It might take us a moment to develop that “disapprove” feature.

nickrsan · June 27, 2025, 9:48pm

Hi all,

We have a very similar need that I also thought “Deactivate User” might support, but found the same thing - Deactivate doesn’t trigger a reactivation email, or even allow the user to re-send the email because we are a private, approval required forum.

Our use case is that we allow people with from a specific group of public sector employers to join a community, as proven by their email address. We are looking to do some kind of periodic re-verification that they are still with the employer by forcing re-activation of the account, so that they cannot log in with existing credentials for very long if they leave their employer and their email account is deactivated.

I’m not looking for account archival tools at this time - the ones that are there will work - the flow I’m wondering about and concerned about is how to basically reach out to all users and say “hey, are you still at the same email address?” and have them be required to verify it, without the ability to change the email address on the approved account. I think we could reset the the passwords, and they’d need access to the email account to reset their password, but that’s a bit higher of a burden on people than clicking the link and could drive some people away.

If there’s a better way to achieve this kind of periodic reverification, I’m open to it, whether that’s in the UI, or some use of the APIs to manually trigger new verification tokens and emails.

Thank you!

Topic		Replies	Views
Emails are still sent to de-activated users Bug	3	1022	August 31, 2015
Cannot activate a user with an unconfirmed email token Bug	11	960	February 15, 2018
Activation email sent after account was deactivated Support	5	506	October 9, 2020
Deactivated Account Still Receives Emails Feature email	8	3175	April 20, 2016
Deactivated users are sometimes not being deactivated Support	5	499	September 24, 2024

Should a deactivated user receive an email?

Related topics