Approving an activated staged user tells them to log in, but doesn't allow them to log in

bug
1

Steps to reproduce

  1. Go to /my/messages
  2. Click “New message”
  3. Enter an email address which isn’t linked to any existing user
  4. Type and send a message.

This sends an email and creates a staged user.

  1. From the admin panel, activate the user.
    a. In my case, my site requires approval of new accounts, so I also had to approve the user. Not sure how universal this is.
  2. User receives email:

You’ve been approved on …

A staff member approved your account on …

You can now access your new account by logging in at:

  1. User goes to url as instructed in the email.

Expected outcome

User is able to log in

Observed outcome

  • At the log in dialog, entering their email address and using “Skip the password; send me a login link” results in “No account matches …”.

  • Clicking “Forgot my password” then “Reset password” results in “No account matches …”

  • The user can create a new account with that email address, but (in my testing at least) this sets them back to being unactivated and sends a “Confirm your new account” email. Which is not what you’d expect after they’ve already been told “You’ve been approved”…

2

Extra bonus problem: the message I sent out from Discourse the first time I encountered this contained an invite link. Users were unable to use that invite link:

image

I’ve reproduced the problem without the invite link so I haven’t mentioned it in the reproduction, but I’m mentioning it here because it seems like it’s another pointer that might help figure out what weird state I’ve managed to put the accounts into.

3

That’s interesting that you are able to activate a staged user via their user admin page. Staged users are not expected to log in so it doesn’t make sense to be able to activate them. Staged users can transform :sparkles: into users by them coming to create accounts, and then they gain access to all the messages they only participated in previously by email.

So… one answer for you is to just not do that. :slight_smile: When you want to invite someone to your site, just invite them in the usual way - not by creating a staged user via email.

But maybe we can prevent this behavior in case others encounter it. I will do a quick test on my site to see if I am able to replicate.

1 Like
4

OK, I was able to replicate this on my site. It is indeed possible to activate a staged user, which is not correct. Good catch!

2 Likes
5

That makes sense!

I’ve been able to confirm that for a staged user (who hasn’t been activated), this works nicely. If I’d followed up on my original message by sending out invitations direct (ie, “Restricted to this email address”, then click the “send invitation email” button) to those email addresses, they can just click the invite link and create their account.

I can’t do this to an activated staged user: in that case, trying to invite them fails because that email address is already associated with a user account.

But since a staged user should not ever be able to be activated, that shouldn’t be a problem :slight_smile:

This was of course a “restrict to N uses” invite. I’m not sure if that makes a difference in terms of being able to use the invite - but given what we’ve already found, I suspect that this invite link would have worked fine if I hadn’t already activated the accounts.

1 Like