From 22a4b6fbb87575dddc2d66df946adc23c8e65a81 Mon Sep 17 00:00:00 2001 From: kolaente Date: Mon, 23 Mar 2026 12:24:31 +0100 Subject: [PATCH] fix(auth): reject disabled/locked users in OIDC callback --- pkg/modules/auth/openid/openid.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pkg/modules/auth/openid/openid.go b/pkg/modules/auth/openid/openid.go index aed18dd46..61e7efd87 100644 --- a/pkg/modules/auth/openid/openid.go +++ b/pkg/modules/auth/openid/openid.go @@ -158,6 +158,11 @@ func HandleCallback(c *echo.Context) error { return err } + if u.Status == user.StatusDisabled || u.Status == user.StatusAccountLocked { + _ = s.Rollback() + return &user.ErrAccountDisabled{UserID: u.ID} + } + teamData := getTeamDataFromToken(cl.VikunjaGroups, provider) err = models.SyncExternalTeamsForUser(s, u, teamData, idToken.Issuer, "OIDC")