Conflicting email addresses, giving admins more power to resolve issues

sudoman · January 22, 2021, 5:59pm

One of our users has two Discourse accounts, one that is no longer in use, and a new account that they’re not able to log into. The reason appears to be that their new account on our CAS SSO provider has the same email address set as their old account on our forum.

I experimented with my own test account, trying to deactivate it and deleting the SSO record. However that seems to prevent new logins for that account, due to the existing record no longer matching the SSO payload, and now the email address is seen as conflicting.

I also experimented with trying to change the email address on our user’s unused Discourse account so they could log in with that email address on their new account. However an email confirmation is required. I set up an email alias on our SMTP server so I could intercept an arbitrary address. However, when following the link, I need to log in as them via SSO. The problem with that is that I would have to reactivate the user’s account, set a new password, link their account to our member database, and create a false membership on our SSO provider. This is certainly possible to do, but I feel like I’m in a tangled web trying to correct this user’s account.

Going into the DB and making the change with some SQL queries is something I’ve done in the past, but that is risky, and I would rather avoid that approach if possible.

If it doesn’t break Discourse, I would love to have a feature allowing me to delete an email address on a deactivated account, rather than just setting the email address to unconfirmed.

If there are any other ways that I can handle this problem, please let me know. Thanks!

Sailsman63 · January 22, 2021, 6:45pm

Why not merge the old users into the new one?

simon · January 23, 2021, 12:56am

I think you are using Discourse’s implementation of SSO and are setting the require_activation SSO parameter to true in the SSO payload. If that is the case, have a look at this topic for details about fixing the issue: Debugging and fixing common SSO issues. It is safer to run the Rails console commands that are given in that topic than to directly update your database with SQL queries.

Merging the two accounts, as stated in the above post, is probably a good approach, but you may need to make some adjustments to the SSO record after having done that.

JimPas · January 23, 2021, 5:02am

There’s also this I just found via search merge user accounts. This is still available by clicking on the user in the active user list (Admin Dashboard) and scrolling down to the bottom to see the 3 buttons shown below.

Discourse 2.5.0.beta3 Release Notes

Merge Users via the UI

In early 2018 we added support for merging two user accounts into each other. To do so required SSH access to the server, as merge support was added as a rake task.

Users can now be merged by any admin! Visit the user admin page, and select “Transfer & Delete” at the bottom of the page.

Enter the username you want the account to be merged into, and click “Transfer & Delete @username” to start the merge process.

sudoman · January 24, 2021, 12:37am

Thanks for the tips + help on this. I’ll give it a shot on some test accounts next week, and I’ll let you know if I run into any major issues. Thanks : )

sudoman · January 25, 2021, 7:57pm

Okay, so it all worked out. When I merged accounts, Discourse kept the SSO credentials of the target / merged into / non-deleted account, and the other account was deleted.

Thanks for your help on this. : )