Change unconfirmed user login behaviour #11375
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix #10735
Allow access to account settings, 2FA, authorized applications, and account deletions to unconfirmed and pending users, as well as users who had their accounts disabled. Suspended users cannot update their e-mail or password or delete their account.
Display account status on account settings page, for example, when an account is frozen, limited, unconfirmed or pending review.
After sign up, login users straight away and show a simple page that tells them the status of their account with links to account settings and logout, to reduce onboarding friction and allow users to correct wrongly typed e-mail addresses.
Move the final sign-up step of SSO integrations to be the same as above to reduce code duplication.
What are the benefits of this change?
Logging in the user right after sign-up reduces friction and allows users who have mistyped their e-mail to correct the mistake on their own. It also allows them to delete their account right away in case they mistyped their username and want to try again.
Allowing users with disabled login to see the account settings page, 2FA page, sessions and authorized applications allows them to take action in case the problem stemmed from a bad application or unauthorized entry into the account. Allowing them to delete their account complies with the GDPR without having to bother the admin
Mind that in case of suspended users, allowing them to delete their account would allow them to re-create the same account with the same credentials, so it is still not allowed.
Allowing suspended users to see a more in-depth text (account status) than a mere "Forbidden" error page should lead to fewer misunderstandings, in the same vein that suspended users should be able to view the server rules and privacy policy pages