Deactivated users are sometimes not being deactivated

I haven’t found a way to reproduce this issue, but over the past month I’ve noticed two instances where a user was supposedly deactivated (as seen from the staff action logs) but not actually deactivated (the user could still log in).

For example, this one was “deactivated” 29 days ago, but was able to send me a private message today (the only other staff actions after the deactivation are “check email”)

This is the other one (a different staff member was able to “deactivate” the same user again 4 hours later without a previous reactivation):

I’m on 2.9.0.beta9

This issue is still ongoing (it happens several times a month). Has anyone else noticed it?

This is the controller code

The StaffActionLogger is working correctly, but I’m wondering if something in the User.deactivate method might be failing.

What the errors have in common is that they’re coming from API requests. This is what I typically use:

PUT https://<MY_SITE>/admin/users/<USER_ID>/deactivate


data: {context":"/admin/users/<USER_ID>/<USER_NAME>"}

I always get “success: OK”

Is there any other log I could check out or thing I could try?

I’m on 2.9.0.beta11