How do I preserve an account, but prevent them from logging in?

(Lisa Wess) #1

Can someone give me a run-down on what deactivating an account does? Do they stick around forever? (I need them to). Trying to figure out if I need to do 99999999999999 day suspensions or if Deactivating will work for us.

Thank you!

(Jeff Atwood) #2

Deactivate means we treat the user as if they are a new account signup who has not validated their email. Not exactly sure what the consequences are for SSO, though.

(Lisa Wess) #3

Do these get periodically purged? What if the person has many posts?

(Jeff Atwood) #4

Not sure, but I doubt it gets purged. Can I get some more details on the goal here? Maybe a real world example?

(Lisa Wess) #5

We use the forums for support. We have fantastic retention but occasionally a staff member leaves and has some or many posts. We need those posts in place but also need to stop the user from logging in and gaining access to our closed forums that contain confidential information.

On top of that we have some special functionality with a bot that alerts us to posts where the last poster was not staff (unless a button created with a plugin is clicked) - so we need to keep that account in the group. Same for reporting…

Make sense?

(Felix Freiberger) #6

Deactivating might also be the right thing to archive old discussions: I believe that deactivated users never get mail notifications (at least they should not), are not purged if they ever were activated, and have no way to ever activate the account again in a SSO context if the SSO provider denies them access.

Love the "Anonymize User" feature - thanks!
(Lisa Wess) #7

Yes, exactly!

These are the things I need confirmed - especially the potential for account removal.

(cpradio) #8

Can you create a psuedo account for yourself to test this with? Seems like the easiest solution to me, but maybe it isn’t…

(Kane York) #9

In that case, you need to suspend the user. Suspension keeps the account around, but blocks them from logging in.

Enter a message like, “No longer employed” etc.

(Jeff Atwood) #10

Forcing unvalidated would also work though since they cannot log in, as their account is not email validated. Not totally sure of the SSO effects here, you would need to test your hypothesis @lisajill but my suspicion is, it will work.

(Lisa Wess) #11

I’m not worried about SSO with the account. But given that I don’t know if they’ll get auto deleted, if that’s true with posts, and how long after de-acivation that will happen… it appears that @riking’s way is the way to go.

It would be great to have some clear documentation in the specifics of how those two functionalities work.

(Lisa Wess) #12

Not really since I’d have no idea when to expect any sort of action. Should I watch this pseudo account for a day? Week? Month? Year?

If I read code I’d go look up what it says. Instead I’d love for someone to tell me what the expected behavior of deactivated accounts is for users with many posts that were activated for some time.

(Lisa Wess) #13

Also no matter what I put this looks bad:

This user is suspended until August 9, 2289 7:32am.
Reason: Account no longer in use

Because of the lack of public messaging deactivation is still a preference. My original title ( :wink: ) & question still stand.

(Felix Freiberger) #14

The interesting edge case is whether they are deleted after purge unactivated users grace period days, which is a site setting that defaults to 7 days.

I have disabled my test account, let’s see what happens. I’d expect the account not to be deleted.

(Felix Freiberger) #15

After fiddling with this site setting and kicking of the PurgeInactive job, I can confirm that accounts that were activated once but have been disabled by an admin can be deleted automatically, at least when they have no posts.

I really dislike this behavior.

This is the relevant code:

It looks like deletion could be skipped if there are posts by this user, but I have not confirmed this yet:

(Lisa Wess) #16

Thank you for testing this. I can not say enough how grateful I am.

I’ve moved to suspending but because of the public nature of that it is a very bad fit for our company.

So I guess a feature request: We need a way to have a non-public way to stop account usage but preserve the post history while also taking the user out of their previously joined groups.

(Jeff Atwood) #17

Does this really apply to you? Do the accounts in question have no posts?

(Lisa Wess) #18

The accounts in question do have posts. In one case many, many posts. We are using suspensions until there is a better solution.

(Jeff Atwood) #19

I do not think that is necessary. Discourse will never remove an account with posts.

(Lisa Wess) #20

Thank you. This entire thread has been me trying to get exactly that information. Ready for closure.