FIX: Store user's id instead for sending activation email.

* Email and username are both allowed to be used for logging in.
  Therefore, it is easier to just store the user's id rather than
  to store the username and email in the session.

app/controllers/users_controller.rb

@@ -567,21 +567,21 @@ class UsersController < ApplicationController
       RateLimiter.new(nil, "activate-min-#{request.remote_ip}", 6, 1.minute).performed!
     end
 
-    if (current_user && !current_user.staff?) ||
-       (params[:username] != session[SessionController::ACTIVATE_USER_KEY])
-
-      raise Discourse::InvalidAccess
-    end
-
     @user = User.find_by_username_or_email(params[:username].to_s)
 
     raise Discourse::NotFound unless @user
 
+    if (current_user && !current_user.staff?) ||
+        @user.id != session[SessionController::ACTIVATE_USER_KEY]
+
+      raise Discourse::InvalidAccess
+    end
+
     session.delete(SessionController::ACTIVATE_USER_KEY)
 
     if @user.active
       render_json_error(I18n.t('activation.activated'), status: 409)
-    elsif @user
+    else @user
       @email_token = @user.email_tokens.unconfirmed.active.first
       enqueue_activation_email
       render nothing: true