Cannot activate a user with an unconfirmed email token

Steps to reproduce (I’m pretty sure)

  • deactivate a user (e.g., User.where("active = true and admin != true").update_all(active: false))
  • have the user try to log in or otherwise get a validation token created
  • activate the user with things like User.all.update_all(active: true).

Even though the user record shows “true” in the active field, they couldn’t log in. I tried a whole bunch of ways to activate a user (e.g., i called user.activate and user.save) and nothing kept the user from getting the “We sent an activation email, you need to follow those instructions” link when trying to log in until I finally found the email token and did

token.confirmed=true
token.save

and then the user could log in.

The lesson is probably don’t deactivate a user unless you really mean it. :slight_smile:

1 Like

This seems correct, the only way to activate a user is to validate the email. Deactivated even explains this in the UI…

Well, not really. SSO can skirt the requirement. And rake admin:create will activate a user. I just deactivated the all as part of the import and the admin didn’t want them deactivated, and the test site has outgoing mail disabled.

I thought that the ACTIVATE button on the admin screen would activate a user too, without sending the email.

But you don’t have to call it a :bug: :slight_smile:

If it’s a problem with the UI then @jomaxro can try to repro that.

I’m confused. @pfaffman are you saying that if you deactivate and activate a user via /admin/users/user_id/username the user isn’t actually activated?

2 Likes

I suspect that’s the case. It may be, though, that this isn’t replicable via the UX and I should just move this to dev.

Is this replicable via the UI, @jomaxro?

Sorry for the delay @pfaffman, travelling this week.

Looks like we’ve got a real bug here. The activate button works if the user has never been activated before (sign up, don’t click on the link in email), however it fails if the user was deactivated.

Repro steps:

  1. User signs up on site and activates their account as normal.
  2. Admin goes to user admin page and click Deactivate
  3. User is logged out.
  4. Admin clicks “Activate Account” - the page refreshes but the user is still deactivated.
  5. Admin gets annoyed and keeps clicking Activate Account, to no avail :wink:.
8 Likes

Well, I’ll be!

In that case, the problem appears to have to do with there being an email token has been created. I looked at the code and couldn’t quite see where the problem is.

1 Like

Ok @techapj we should get this fixed. See repro above… there should be handling of the case where the user was deactivated too.

2 Likes

Fixed via:

https://github.com/discourse/discourse/commit/f07b1a5c054ab4813cdd1782746fcf84300c036c

Thanks for reporting this issue @pfaffman. :+1:

8 Likes

This topic was automatically closed after 20 hours. New replies are no longer allowed.