Skip to content

User account audit: announce restoration, then prune never-logged-in accounts #300

Description

@DominicBM

Background

The analytics dashboard was effectively non-functional from July 2023 until the recent GA4 migration. Many hub partner accounts were created during that period or before it and have never been used. Now that the dashboard is working again, we need to re-engage all account holders and then clean up any accounts that remain dormant.

Proposed Sequence

Step 1 — Mass announcement email

Send an email to every account holder announcing:

  • The dashboard has been restored and is showing real data again
  • What was broken and what was fixed (brief summary)
  • What data is now available and how to log in
  • A deadline (TBD — suggest 60–90 days from send date) after which accounts that have never been logged into will be deactivated
  • Contact address for questions or to request reactivation after the deadline

The user list can be pulled from the Rails console or a one-off rake task:

User.order(:hub, :email).pluck(:email, :hub, :last_sign_in_at, :sign_in_count)

Step 2 — Prune never-logged-in accounts after the deadline

After the deadline passes, disable or delete accounts where sign_in_count = 0 (Devise :trackable records this). Accounts where sign_in_count > 0 but last_sign_in_at predates the announcement are still active users — do not prune those.

A safe approach is to disable rather than delete: add an active boolean to the users table (default true), check it in the Devise active_for_authentication? override, and set it to false for pruned accounts. This avoids data loss and allows easy reactivation on request.

Alternatively, if we prefer a simpler path with no schema change, we can use Devise's built-in :lockable module (add locked_at column) to lock inactive accounts, which can be unlocked individually via admin or email.

Step 3 — Ongoing hygiene

Consider a policy going forward: accounts that have never logged in within N days of creation are automatically deactivated. This prevents stale account accumulation if the dashboard ever goes quiet again.

Decision Needed

  • Confirm the deadline to include in the email (60 days? 90 days?)
  • Confirm the pruning strategy (disable vs. delete vs. Devise :lockable)
  • Confirm who drafts and sends the email, and from what address
  • Decide whether to build an admin UI for account management or handle via console/rake task

/cc @megannp4

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions