Staff cannot manually activate invited accounts after 48 hours has elapsed


(Steve Pavlina) #1

I had this potential bug come up twice so far.

A user registers for my forum (which is private and invite only), gets the activation email, activates their account, logs in, posts for a while, and then takes a break for a few weeks.

When they try to login again, they get an error message like this:

You can’t log in yet. We previously sent an activation email to you at youremail@domain.com. Please follow the instructions in that email to activate your account.

At this point they’re stuck. They can’t login. Reactivating via the previously sent activation email that they’ve already used doesn’t work. And if I go to their user page, it shows that their account is already approved. If I manually deactivate and reactivate it, that doesn’t let them login either.

This has happened to two different users on our forums so far. Once they’re frozen out, the problem occurs across different browsers and devices, so it doesn’t appear to be a caching issue. We also ruled out any sort of ad blocker. Seems like a potential bug to me.

Otherwise how do I restore these accounts to active status, so these members can login again? Both are still being prevented from logging in. I’d prefer not to make them new accounts since they’ve already set up profiles and posted under the old accounts.

This is with version v1.9.0.beta4 +52 from a few days ago. But it started happening a few weeks earlier.


(Jeff Atwood) #2

I am not aware of any way an active, validated account could become automatically deactivated. There is no support for this in Discourse to my knowledge.

Are you running any custom plugins or custom API code?


(Steve Pavlina) #3

No custom plugins or API code. Just a plain vanilla install. There are about 100 registered users, and it’s been working fine for everyone else.

Most of the indicators suggest these two accounts are indeed still active. On the admin side when I look up these users, both accounts show as active, approved, not blocked, not suspended, and not staged.

When I use the Impersonate feature on the admin side, I’m able to get into both of these accounts no problem.

One user made 3 posts, and the other made 7 posts, and both have read more than 100 posts, so they were both definitely active in the forums before Discourse started locking them out for some reason.

If either user tries to reactivate their account, they get a message saying it’s already active. But when they try to login normally, it tells them they still need to activate it. So it looks like something is falsely triggering this error message when they try to login. The only thing they seem to have in common is that they both took a break from visiting the forums for a while, roughly two weeks for one of them and I’m not sure how long for the other. So if this is a bug, it may have something to do with that. I noticed when I impersonated one account, it showed a message noting that I’d been away for a while.

Resetting the password doesn’t seem to work either.

In the short term, any ideas on what I can do to allow these users to login again? Both are currently still locked out. I could create new accounts for them, but that seems a bit lame since they already made posts with these.


(Jeff Atwood) #4

Still seems very odd, we’d have dozens of reports of this if it was a systemic problem. @techAPJ can you have a look? And @Steve_Pavlina can you provide access via PM for Arpit?


(Steve Pavlina) #5

Sure thing. I just PM’d him.


(Benjamin Mosior) #7

I’m hoping this is signal and not noise, but I encountered something similar-ish in a private, invite-only forum, running version v1.9.0.beta4 +56.

A user received an invitation email and was able to create an account, but when they attempted to access the forum, they encountered the message mentioned above:

I deactivated and manually reactivated their account (skipping email activation), which resolved the issue for them.

I don’t have enough information to call this a reproduction, but I offer it just as an anecdote.


(Jeff Atwood) #8

What are the repro steps?


(Arpit Jalan) #9

I can repro the issue described by @Steve_Pavlina and @Benjamin_Mosior .

Here are the repro steps:

  • Invite a user to forum
  • User accepts the invite, but does not click on reset password email or activate account email link
  • User now has “active” account on forum, but the account is actually not active because email is not confirmed yet
  • When user tries to login, they get “account not activated” error

Now, there is an additional issue here which @Steve_Pavlina is facing:

This is because of this logic, specifically:

 if email_token = self.email_tokens.active.first

We are only confirming active email tokens (by default: created in last 48 hours), so if the Admin tries to manually deactivate/activate the account after 48 hours the older email tokens are not getting confirmed, only the active field in user account is set to true.

But when user is trying to login, we are checking if user has any email token present, and if present, one of them must be confirmed. So there is a divergence here.

Since this fix involves changes in login related code path, I need to look more into it (and confirm) before suggesting a fix.


Kudos to @Steve_Pavlina for his indispensable support to help me repro this issue. :+1:


(Arpit Jalan) #10

Resetting the password should work actually, because after successful password reset there will be a confirmed email token present for that user.

Can you ask the user to try resetting their password, and see if that works? If they encounter an error, please forward me the error message/screenshot.


(Arpit Jalan) #11

I see a button in the screenshot: “Resend Activation Email”, did the user clicked that button to activate their account?

Clicking that button and following activation link should have fixed login issue for that user.


(Jeff Atwood) #12

This seems correct. The only difference is that issuing a password reset or forgot password should work in this case, shouldn’t it?


(Steve Pavlina) #13

I thought we had already tried that, but I’ll ask again to see what happens.


(Arpit Jalan) #14

That is correct, and I verified locally on a copy of Steve’s site that sending forgot password email and following that link (changing password), user is able to regain access to that account.

I provided repro steps just to provide context on how users are ending up with “activated” account, but unable to login the next time they visit. (as described by @Benjamin_Mosior)

There is only one actual issue here, and that is:

So, admins can’t activate the account (read: confirm email) manually and users (or Admin) will need to trigger forgot password email and change the password to regain access to that account.

Also, if the site setting must approve users is disabled, users can simply click on Resend Activation Email button to regain access. Like in the case of @Benjamin_Mosior site.

TL;DR

So the bug here is: Admin can’t activate the user account manually (after 48 hours of account creation) via User Admin page.


(Benjamin Mosior) #15

We did try that, but I think there might have been an unrelated email delivery issue hampering my troubleshooting process with the user, which is why I ended up disabling and manually re-enabling/activating the account. Thanks!


(Jeff Atwood) #16

OK so we should fix that. The user is not blocked, just the admin… the user can simply issue a password reset.


(Steve Pavlina) #17

I also verified that resetting the password does work. I’d thought we’d already tried that, but apparently not. At least overlooking this initially helped identify an actual bug.

What I’m confused about is that if these users didn’t complete all the steps to activate their accounts (i.e. not clicking a link to verify their email addresses), then how were they both able to post in the forums to begin with? I would think email validation would be required before any new member would be permitted to post.


(Jeff Atwood) #18

Invites let people in immediately so they can post ASAP without interruption. Invites are tied to the account of the person who invited them, and we trust that person, so … it is a less risky relationship than a random new signup.


(Arpit Jalan) #19

Fixed via:

Thanks for reporting this issue @Steve_Pavlina :+1:


(Arpit Jalan) #20