Set user account inactive

Is it possible to set a user’s account to be inactive? That is, they cannot log in to their account until it is again set to active.

You can add an active attribute to the user profile when you create a new user:

var user = {
    email: email,
    password: password,
    profile : {
        active: false
    }
};

Accounts.createUser(user);

an now you can check if user profile is active on sign-in.

1 Like

Good suggestion by @krevativ to have an active flag. You may also be interested in other metadata such as when the user was marked inactive and the reason for it, so an active object may be more useful depending on your needs. Another common requirement is a history log but that could be a separate field if needed.

NOTE: Be sure to put the active field on the root user object rather than in the user profile. Profile is writeable by default so only things that the user should be able to modify like name, fav color scheme, etc. should go there.

Switching gears a bit, an alternative way to control access is to use the roles package for authorization. Not sure if it would be useful in your situation but wanted to suggest it just in case.

@alanning Good point! I didn’t know that you can create new fields on a root level. Are you sure about this? Need to test it later, but if it works then it definitely need to be placed there.

Yep! It works. In fact, I never use the profile field and remove it during account creation.

There is also an official discussion started by MDG about removing the profile field.

@alanning, that’s a good idea because I am already using the roles package. This seemed to work

Accounts.validateLoginAttempt(function(attempt) {
  if(Roles.userIsInRole(attempt.user._id, ['inactive'])) {
    attempt.allowed = false;
    throw new Meteor.Error(403, "User account is inactive!");
  }
  return true;
});
1 Like

But when a user’s status is set to inactive, how do you logout the client form the server?

So I just implemented a ‘disabled’ state lately on my user accounts. This should be of use to you.

server/methods/user.js

setUserDisableState: function (userId, state) {
    var loggedInUserId = Meteor.userId();

    if (!PermissionMap.Users.Invite.checkRole(loggedInUserId)) {
      throw new Meteor.Error(403, "Access denied");
    }

    if (state) {
      Meteor.users.update({ _id: userId }, { $set: { 'disabled': state }});

      // Logout user
      Meteor.users.update({ _id: userId }, {$set: { "services.resume.loginTokens" : [] }});
    } else {
      Meteor.users.update({ _id: userId }, { $unset: { 'disabled': '' }});
    }
  }

server/users/on_login.js

Accounts.validateLoginAttempt(function(attemptObj) {
  if (attemptObj.user && attemptObj.allowed && attemptObj.user.disabled) {
    throw new Meteor.Error(403, "Your account is disabled.");
  }

  return true;
});

Hope this helps.

6 Likes

Haven’t tested it yet, but this might help:

 Meteor.users.update({
        $or:[{
                'profile.active': false
             }, {
                'profile.active': {$exists: 0}
             }]
        }
           , {$set : { "resume.loginTokens" : [] }}, {multi:true});

HI
Could someone suggest a way to activate/deactivate a user account based on calendar dates?
Something like you could click on dates on calendar to enable/disable the account on a particular date?
Thanks

@vishi, you could save an entry in their profile as an object

accountDetails: {
  deactivated: true,
  deactivateOn: ISODate(...)
}

Then you could use that on the Accounts.validateLoginAttempt

Accounts.validateLoginAttempt(function(attempt) {
  var active = attempt.user.accountDetails;
  if(active.deactivated) {
    var now = new Date();
    if(now >= active.deactivateOn) {
      attempt.allowed = false;
    }
  }
})

Thanks for your response. However, how would I be able to map it on a calendar datepicker? How can I keep track of the dates the user was enabled and the dates the account was disabled on a calendar UI?
Ultimately what I want is an ability for a manager (role) to be able to view and activate or deactivate a user under him by clicking dates on a datepicker calendar
Thanks

Sure, just use autoform with datepicker and push it to the model on submission.

Using roles to disable users is a great idea, thanks @alanning

Interesting way of logging out! Thanks for sharing!