🐛 fix unknown user id on deactivated event

no issue

- if you delete an active user, Ghost logs an error message (Ghost does not crash!)
- but the event logic is not triggered, that means we don't delete the users tokens
- token deletion happens on: suspend a user and delete a user

core/server/models/base/listeners.js

@@ -20,9 +20,14 @@ events.on('token.added', function (tokenModel) {
 /**
  * WHEN user get's suspended (status=inactive), we delete his tokens to ensure
  * he can't login anymore
+ *
+ * NOTE:
+ *   - this event get's triggered either on user update (suspended) or if an **active** user get's deleted.
+ *   - if an active user get's deleted, we have to access the previous attributes, because this is how bookshelf works
+ *     if you delete a user.
  */
 events.on('user.deactivated', function (userModel) {
-    var options = {id: userModel.id};
+    var options = {id: userModel.id || userModel.previousAttributes().id};
 
     models.Accesstoken.destroyByUser(options)
         .then(function () {

core/test/functional/routes/api/users_spec.js

@@ -12,7 +12,7 @@ describe('User API', function () {
         authorAccessToken = '',
         editor, author, ghostServer, inactiveUser;
 
-    before(function (done) {
+    beforeEach(function (done) {
         // starting ghost automatically populates the db
         // TODO: prevent db init, and manage bringing up the DB with fixtures ourselves
         ghost().then(function (_ghostServer) {
@@ -63,7 +63,7 @@ describe('User API', function () {
         }).catch(done);
     });
 
-    after(function () {
+    afterEach(function () {
         return testUtils.clearData()
             .then(function () {
                 return ghostServer.stop();
@@ -433,6 +433,34 @@ describe('User API', function () {
                     });
             });
         });
+
+        describe('Destroy', function () {
+            it('[success] Destroy active user', function (done) {
+                request.delete(testUtils.API.getApiQuery('users/' + editor.id))
+                    .set('Authorization', 'Bearer ' + ownerAccessToken)
+                    .expect(204)
+                    .end(function (err) {
+                        if (err) {
+                            return done(err);
+                        }
+
+                        done();
+                    });
+            });
+
+            it('[failure] Destroy unknown user id', function (done) {
+                request.delete(testUtils.API.getApiQuery('users/' + ObjectId.generate()))
+                    .set('Authorization', 'Bearer ' + ownerAccessToken)
+                    .expect(403)
+                    .end(function (err) {
+                        if (err) {
+                            return done(err);
+                        }
+
+                        done();
+                    });
+            });
+        });
     });
 
     describe('As Editor', function () {