mirror of
https://github.com/go-gitea/gitea.git
synced 2026-06-08 06:25:40 +02:00
c43eb7c33a
The OAuth2 sign-in callback unconditionally set IsActive=true on the local user row whenever the IdP authenticated them, silently undoing an administrator's "Disable Account" action and granting the user a fresh session in the same response. Treat the local IsActive flag as an authoritative admin override: inactive users get a session and are routed through the existing activate / prohibit-login pages by verifyAuthWithOptions, matching the local-credentials sign-in path. Adds an integration regression test that disables a linked local user and asserts the row stays IsActive=false after a full OIDC callback. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>