Don't allow blocked users to authenticate through other means

Gitlab::Auth.find_with_user_password is currently used in these places:

- resource_owner_from_credentials in config/initializers/doorkeeper.rb,
  which is used for the OAuth Resource Owner Password Credentials flow

- the /session API call in lib/api/session.rb, which is used to reveal
  the user's current authentication_token

In both cases users should only be authenticated if they're in the
active state.

0 files changed, 0 insertions, 0 deletions