I have tested login for migrated accounts. In particular, testspot-b

If I click login and enter either the username or the email and send me a login link, it does and the link works.

If I click login and enter the email and “I have forgotten my password”, it sends me a password change link and the link works.

Both of these depend on the email account being valid and current and available to the user.

If the user can’t access their old email address they’ll ask the admin to change it to a new email address.

The admin user change email address sends a link to the new email address asking for verification.

Clicking that doesn’t work:

Access Denied
while trying to load /u/confirm-new-email/49469ffdf85340ec87c31b0979bf84a2.json
You’re not allowed to view that.

Can anyone suggest a way forward?

If the user is a staff member (admin or moderator): for security, Discourse requires verification from both the old and new email addresses. If the user cannot access their old email, the confirmation flow breaks and causes permission issues such as the one you described.

If the user is not a staff member: as an admin, you should be able to change their email directly from the user’s preference page, and only the new address should be sent a confirmation.

Try below:

• Temporarily remove admin and moderator privileges from their account.
• Change their email using the same preference page method as above.
• After the email address change is fully verified and functional, restore their staff privileges.

Thank you jahan_gagan,

Here’s the permissions on the account I’m testing with. Not an admin, not a moderator, activated.

Permissions

Activated

Yes

A deactivated user must re-validate their email.

Staged?

No

A staged user can only post via email in specific topics.

Active API Keys

0

Manage Keys

Admin?

No

Moderator?

No

Trust Level

Suspended?

No

A suspended user can’t log in.

Silenced?

No

A silenced user can’t post or start topics.

It sounds like the email is received () but the link in it doesn’t function properly when clicked.

Could they try copying and pasting that link into a private/incognito browser and see if that helps?

Thank you, that worked. I presume a cookie or cache entry from a previous login may have upset the process, or maybe I failed to log out properly.

That’s what I suspect.