Admin API cannot create deactivated users

[tadzik]

Description

When using Admin API to create new users, the deactivated body attribute is ignored. According to the docs, "If unspecified, deactivation state will be left unchanged on existing accounts and set to false for new accounts". It seems like it's set to false for new accounts regardless of what the attribute is set to.

Steps to reproduce

• Create a new user with the admin API:

    PUT /_synapse/admin/v2/users/@jsmith:server {
        displayname: 'Jacob Smith',
        password: 'hello.code.reviewer',
        deactivated: true
    }

• The response indicates that the user is not deactivated, contrary to what was requested:

{
  name: '@jsmith:server',
  is_guest: 0,
  admin: 0,
  consent_version: null,
  consent_server_notice_sent: null,
  appservice_id: null,
  creation_ts: 1645530918,
  user_type: null,
  deactivated: 0,
  shadow_banned: 0,
  displayname: 'Jacob Smith',
  avatar_url: null,
  threepids: [],
  external_ids: []
}

• The user can login, even though they shouldn't be able to.

It'd be fair if that option was unsupported during user creation, but the docs don't indicate that it is. It should either work as expected, or be documented (and preferably return a 400 when used) not to.

Version information

Synapse 1.51.0 running under docker with homerunner.

[erikjohnston]

Updating the docs is probably the easiest here.

Is there a use case for creating users that are deactivated?

[tadzik]

SCIM allows it, so a SCIM->Synapse gateway needs to support it. It can do it in two steps though, it's not a big deal :)

[hex-m]

I just read the news that GitLab supports SCIM now and came here because we have exactly those problems with our Synapse instances.