Merge pull request #37668 from UmakanthKaspa/fix-oauth-disabled-user

fix: reject OAuth tokens for disabled users
2026-03-02 10:52:20 +05:30 · 2026-03-02 10:52:20 +05:30 · 34db776bc5
commit 34db776bc5
parent 5d6ed3f230 d675d05010
1 changed files with 4 additions and 1 deletions
--- a/frappe/auth.py
+++ b/frappe/auth.py
@ -683,7 +683,10 @@ def validate_oauth(authorization_header):
 			uri, http_method, body, headers, required_scopes
 		)
 		if valid:
-			frappe.set_user(frappe.db.get_value("OAuth Bearer Token", token, "user"))
+			user = frappe.db.get_value("OAuth Bearer Token", token, "user")
+			if not frappe.db.get_value("User", user, "enabled"):
+				frappe.throw(_("User {0} is disabled").format(user), frappe.AuthenticationError)
+			frappe.set_user(user)
 			frappe.local.form_dict = form_dict
 	except AttributeError:
 		pass