I haven’t found a way to reproduce this issue, but over the past month I’ve noticed two instances where a user was supposedly deactivated (as seen from the staff action logs) but not actually deactivated (the user could still log in).
For example, this one was “deactivated” 29 days ago, but was able to send me a private message today (the only other staff actions after the deactivation are “check email”)
This is the other one (a different staff member was able to “deactivate” the same user again 4 hours later without a previous reactivation):
I’m on 2.9.0.beta9
This issue is still ongoing (it happens several times a month). Has anyone else noticed it?
This is the controller code
def activate
guardian.ensure_can_activate!(@user)
# ensure there is an active email token
@user.email_tokens.create!(email: @user.email, scope: EmailToken.scopes[:signup]) if !@user.email_tokens.active.exists?
@user.activate
StaffActionLogger.new(current_user).log_user_activate(@user, I18n.t('user.activated_by_staff'))
render json: success_json
end
def deactivate
guardian.ensure_can_deactivate!(@user)
@user.deactivate(current_user)
StaffActionLogger.new(current_user).log_user_deactivate(@user, I18n.t('user.deactivated_by_staff'), params.slice(:context))
refresh_browser @user
render json: success_json
end
def silence
guardian.ensure_can_silence_user! @user
The StaffActionLogger is working correctly, but I’m wondering if something in the User.deactivate method might be failing.
What the errors have in common is that they’re coming from API requests. This is what I typically use:
PUT https://<MY_SITE>/admin/users/<USER_ID>/deactivate
Api-Username:<ADMIN_USER>
Api-Key:<KEY>
data: {context":"/admin/users/<USER_ID>/<USER_NAME>"}
I always get “success: OK”
Is there any other log I could check out or thing I could try?
I’m on 2.9.0.beta11