I haven’t found a way to reproduce this issue, but over the past month I’ve noticed two instances where a user was supposedly deactivated (as seen from the staff action logs) but not actually deactivated (the user could still log in).
For example, this one was “deactivated” 29 days ago, but was able to send me a private message today (the only other staff actions after the deactivation are “check email”)
This is still happening sporadically. For example, this user was initially “deactivated” on August 23, but I just noticed now that they were still active and actually deactivated them.
How can a user be deactivated twice (without a reactivation in between)?
I have a daily task that runs a query to check for this situation. It returned nothing yesterday and this one user today, so what seems to be happening is that the user was correctly deactivated on Aug 23, but it somehow got activated yesterday (without it being logged anywhere).
Is it possible to activate a user (via API or UI) and not leave a trace? I’m assuming this could only happen by modifying the database directly, which I’m certain I didn’t do (I’m the only admin).
This can happen. All a deactivated user needs to do to re-activate their account is to attempt to login to the site, then click the link in the activation email that’s sent to them.
When a deactivated user attempts to login they will see this modal:
After clicking the link in the email, the user will be logged into Discourse.
This has been the behavior for as long as I can remember. I don’t think it’s a bug, but I could be wrong about that. Sending a “Confirm your new account” email to a user who already has an account seems a little off.
Edit: to get the behavior you are looking for, you probably want to “suspend” the user instead of deactivating them.