diff --git a/app/assets/javascripts/discourse/templates/account-created/index.hbs b/app/assets/javascripts/discourse/templates/account-created/index.hbs
index ca16f10e43f..8c9babb1f98 100644
--- a/app/assets/javascripts/discourse/templates/account-created/index.hbs
+++ b/app/assets/javascripts/discourse/templates/account-created/index.hbs
@@ -1,7 +1,7 @@
 <div class='ac-message'>
   {{{accountCreated.message}}}
 </div>
-{{#if accountCreated.username}}
+{{#if accountCreated.show_controls}}
   {{activation-controls sendActivationEmail=(action "sendActivationEmail")
                         editActivationEmail=(action "editActivationEmail")}}
 {{/if}}
diff --git a/app/assets/javascripts/discourse/templates/components/activation-controls.hbs b/app/assets/javascripts/discourse/templates/components/activation-controls.hbs
index ccf263ad033..0b94c0ef944 100644
--- a/app/assets/javascripts/discourse/templates/components/activation-controls.hbs
+++ b/app/assets/javascripts/discourse/templates/components/activation-controls.hbs
@@ -1,7 +1,10 @@
-{{d-button action=sendActivationEmail
-           label="login.resend_title"
-           icon="envelope"
-           class="btn-primary resend"}}
+{{#unless siteSettings.must_approve_users}}
+  {{d-button action=sendActivationEmail
+             label="login.resend_title"
+             icon="envelope"
+             class="btn-primary resend"}}
+{{/unless}}
+
 {{d-button action=editActivationEmail
            label="login.change_email"
            icon="pencil"
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f6b09ca6a8b..b41acf4597d 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -537,12 +537,16 @@ class UsersController < ApplicationController
 
     @custom_body_class = "static-account-created"
     @message = session['user_created_message'] || I18n.t('activation.missing_session')
-    @account_created = { message: @message }
+    @account_created = {
+      message: @message,
+      show_controls: false
+    }
 
     if session_user_id = session[SessionController::ACTIVATE_USER_KEY]
       if user = User.where(id: session_user_id.to_i).first
         @account_created[:username] = user.username
         @account_created[:email] = user.email
+        @account_created[:show_controls] = true
       end
     end
 
@@ -618,6 +622,8 @@ class UsersController < ApplicationController
       RateLimiter.new(nil, "activate-min-#{request.remote_ip}", 6, 1.minute).performed!
     end
 
+    raise Discourse::InvalidAccess.new if SiteSetting.must_approve_users?
+
     if params[:username].present?
       @user = User.find_by_username_or_email(params[:username].to_s)
     end
@@ -626,7 +632,7 @@ class UsersController < ApplicationController
     if !current_user&.staff? &&
         @user.id != session[SessionController::ACTIVATE_USER_KEY]
 
-      raise Discourse::InvalidAccess
+      raise Discourse::InvalidAccess.new
     end
 
     session.delete(SessionController::ACTIVATE_USER_KEY)
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index e5ca94d734c..8c2c33e48da 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -1461,6 +1461,20 @@ describe UsersController do
         end
       end
 
+      context "approval is enabled" do
+        before do
+          SiteSetting.must_approve_users = true
+        end
+
+        it "should raise an error" do
+          unconfirmed_email_user = Fabricate(:user, active: true)
+          unconfirmed_email_user.email_tokens.create(email: unconfirmed_email_user.email)
+          session[SessionController::ACTIVATE_USER_KEY] = unconfirmed_email_user.id
+          xhr :post, :send_activation_email, username: unconfirmed_email_user.username
+          expect(response.status).to eq(403)
+        end
+      end
+
       describe 'when user does not have a valid session' do
         it 'should not be valid' do
           user = Fabricate(:user)