Cannot activate a user with an unconfirmed email token


(Jay Pfaffman) #1

Steps to reproduce (I’m pretty sure)

  • deactivate a user (e.g., User.where("active = true and admin != true").update_all(active: false))
  • have the user try to log in or otherwise get a validation token created
  • activate the user with things like User.all.update_all(active: true).

Even though the user record shows “true” in the active field, they couldn’t log in. I tried a whole bunch of ways to activate a user (e.g., i called user.activate and user.save) and nothing kept the user from getting the “We sent an activation email, you need to follow those instructions” link when trying to log in until I finally found the email token and did

token.confirmed=true
token.save

and then the user could log in.

The lesson is probably don’t deactivate a user unless you really mean it. :slight_smile:


(Jeff Atwood) #2

This seems correct, the only way to activate a user is to validate the email. Deactivated even explains this in the UI…


(Jay Pfaffman) #3

Well, not really. SSO can skirt the requirement. And rake admin:create will activate a user. I just deactivated the all as part of the import and the admin didn’t want them deactivated, and the test site has outgoing mail disabled.

I thought that the ACTIVATE button on the admin screen would activate a user too, without sending the email.

But you don’t have to call it a :bug: :slight_smile:


(Jeff Atwood) #4

If it’s a problem with the UI then @jomaxro can try to repro that.


(Joshua Rosenfeld) #5

I’m confused. @pfaffman are you saying that if you deactivate and activate a user via /admin/users/user_id/username the user isn’t actually activated?


(Jay Pfaffman) #6

I suspect that’s the case. It may be, though, that this isn’t replicable via the UX and I should just move this to #dev.


(Jeff Atwood) #7

Is this replicable via the UI, @jomaxro?


(Joshua Rosenfeld) #8

Sorry for the delay @pfaffman, travelling this week.

Looks like we’ve got a real bug here. The activate button works if the user has never been activated before (sign up, don’t click on the link in email), however it fails if the user was deactivated.

Repro steps:

  1. User signs up on site and activates their account as normal.
  2. Admin goes to user admin page and click Deactivate
  3. User is logged out.
  4. Admin clicks “Activate Account” - the page refreshes but the user is still deactivated.
  5. Admin gets annoyed and keeps clicking Activate Account, to no avail :wink:.

(Jay Pfaffman) #9

Well, I’ll be!

In that case, the problem appears to have to do with there being an email token has been created. I looked at the code and couldn’t quite see where the problem is.


(Jeff Atwood) #10

Ok @techapj we should get this fixed. See repro above… there should be handling of the case where the user was deactivated too.


(Arpit Jalan) #11

Fixed via:

Thanks for reporting this issue @pfaffman. :+1:


(Arpit Jalan) #12

This topic was automatically closed after 20 hours. New replies are no longer allowed.