From 970865df06988ee35f00bc97f2c8b3853551f053 Mon Sep 17 00:00:00 2001
From: Lyle Keeton <lyle@effectivesolutions.dev>
Date: Fri, 17 Oct 2025 00:54:21 -0500
Subject: [PATCH] prevent linking if account disabled

---
 routers/web/auth/oauth.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/routers/web/auth/oauth.go b/routers/web/auth/oauth.go
index 3c712640e8..dc00bee45d 100644
--- a/routers/web/auth/oauth.go
+++ b/routers/web/auth/oauth.go
@@ -217,6 +217,12 @@ func SignInOAuthCallback(ctx *context.Context) {
 			}
 
 			if hasUser {
+				if user.ProhibitLogin || !user.IsActive {
+					log.Info("Failed authentication attempt for %s from %s: user has disabled sign-in", user.Name, ctx.RemoteAddr())
+					ctx.Flash.Error(ctx.Tr("auth.prohibit_login"))
+					ctx.Redirect(setting.AppSubURL + "/user/login")
+					return
+				}
 				if err := externalaccount.LinkAccountToUser(ctx, authSource.ID, user, gothUser); err != nil {
 					ctx.ServerError("LinkAccountToUser", err)
 					return