Deactivated users are sometimes not being deactivated

I haven’t found a way to reproduce this issue, but over the past month I’ve noticed two instances where a user was supposedly deactivated (as seen from the staff action logs) but not actually deactivated (the user could still log in).

For example, this one was “deactivated” 29 days ago, but was able to send me a private message today (the only other staff actions after the deactivation are “check email”)

This is the other one (a different staff member was able to “deactivate” the same user again 4 hours later without a previous reactivation):

I’m on 2.9.0.beta9

This issue is still ongoing (it happens several times a month). Has anyone else noticed it?

This is the controller code

The StaffActionLogger is working correctly, but I’m wondering if something in the User.deactivate method might be failing.

What the errors have in common is that they’re coming from API requests. This is what I typically use:

PUT https://<MY_SITE>/admin/users/<USER_ID>/deactivate

Api-Username:<ADMIN_USER>
Api-Key:<KEY>

data: {context":"/admin/users/<USER_ID>/<USER_NAME>"}

I always get “success: OK”

Is there any other log I could check out or thing I could try?

I’m on 2.9.0.beta11

This is still happening sporadically. For example, this user was initially “deactivated” on August 23, but I just noticed now that they were still active and actually deactivated them.

How can a user be deactivated twice (without a reactivation in between)?

I have a daily task that runs a query to check for this situation. It returned nothing yesterday and this one user today, so what seems to be happening is that the user was correctly deactivated on Aug 23, but it somehow got activated yesterday (without it being logged anywhere).

Is it possible to activate a user (via API or UI) and not leave a trace? I’m assuming this could only happen by modifying the database directly, which I’m certain I didn’t do (I’m the only admin).

This can happen. All a deactivated user needs to do to re-activate their account is to attempt to login to the site, then click the link in the activation email that’s sent to them.

When a deactivated user attempts to login they will see this modal:

Discourse will send them a “Confirm your new account” email:

After clicking the link in the email, the user will be logged into Discourse.

This has been the behavior for as long as I can remember. I don’t think it’s a bug, but I could be wrong about that. Sending a “Confirm your new account” email to a user who already has an account seems a little off.

Edit: to get the behavior you are looking for, you probably want to “suspend” the user instead of deactivating them.

4 Likes

Mystery solved! Thanks, Simon. You can close this thread.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.