A user registers for my forum (which is private and invite only), gets the activation email, activates their account, logs in, posts for a while, and then takes a break for a few weeks.
When they try to login again, they get an error message like this:
You can’t log in yet. We previously sent an activation email to you at email@example.com. Please follow the instructions in that email to activate your account.
At this point they’re stuck. They can’t login. Reactivating via the previously sent activation email that they’ve already used doesn’t work. And if I go to their user page, it shows that their account is already approved. If I manually deactivate and reactivate it, that doesn’t let them login either.
This has happened to two different users on our forums so far. Once they’re frozen out, the problem occurs across different browsers and devices, so it doesn’t appear to be a caching issue. We also ruled out any sort of ad blocker. Seems like a potential bug to me.
Otherwise how do I restore these accounts to active status, so these members can login again? Both are still being prevented from logging in. I’d prefer not to make them new accounts since they’ve already set up profiles and posted under the old accounts.
This is with version v1.9.0.beta4 +52 from a few days ago. But it started happening a few weeks earlier.
No custom plugins or API code. Just a plain vanilla install. There are about 100 registered users, and it’s been working fine for everyone else.
Most of the indicators suggest these two accounts are indeed still active. On the admin side when I look up these users, both accounts show as active, approved, not blocked, not suspended, and not staged.
When I use the Impersonate feature on the admin side, I’m able to get into both of these accounts no problem.
One user made 3 posts, and the other made 7 posts, and both have read more than 100 posts, so they were both definitely active in the forums before Discourse started locking them out for some reason.
If either user tries to reactivate their account, they get a message saying it’s already active. But when they try to login normally, it tells them they still need to activate it. So it looks like something is falsely triggering this error message when they try to login. The only thing they seem to have in common is that they both took a break from visiting the forums for a while, roughly two weeks for one of them and I’m not sure how long for the other. So if this is a bug, it may have something to do with that. I noticed when I impersonated one account, it showed a message noting that I’d been away for a while.
Resetting the password doesn’t seem to work either.
In the short term, any ideas on what I can do to allow these users to login again? Both are currently still locked out. I could create new accounts for them, but that seems a bit lame since they already made posts with these.
We are only confirming active email tokens (by default: created in last 48 hours), so if the Admin tries to manually deactivate/activate the account after 48 hours the older email tokens are not getting confirmed, only the active field in user account is set to true.
But when user is trying to login, we are checking if user has any email token present, and if present, one of them must be confirmed. So there is a divergence here.
Since this fix involves changes in login related code path, I need to look more into it (and confirm) before suggesting a fix.
Kudos to @Steve_Pavlina for his indispensable support to help me repro this issue.
We did try that, but I think there might have been an unrelated email delivery issue hampering my troubleshooting process with the user, which is why I ended up disabling and manually re-enabling/activating the account. Thanks!
I also verified that resetting the password does work. I’d thought we’d already tried that, but apparently not. At least overlooking this initially helped identify an actual bug.
What I’m confused about is that if these users didn’t complete all the steps to activate their accounts (i.e. not clicking a link to verify their email addresses), then how were they both able to post in the forums to begin with? I would think email validation would be required before any new member would be permitted to post.
Invites let people in immediately so they can post ASAP without interruption. Invites are tied to the account of the person who invited them, and we trust that person, so … it is a less risky relationship than a random new signup.