Disable API access when login is disabled (#7289)

diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 7b5168b314a5df144f8c61925aaf589d0cb75d7b..b5c084e14516907ba79d99a38089a6e474641119 100644 (file)
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -66,8 +66,10 @@ class Api::BaseController < ApplicationController
   end
 
   def require_user!
-    if current_user
+    if current_user && !current_user.disabled?
       set_user_activity
+    elsif current_user
+      render json: { error: 'Your login is currently disabled' }, status: 403
     else
       render json: { error: 'This method requires an authenticated user' }, status: 422
     end