From d675d05010cc7d28aaac7134f592add981b2727e Mon Sep 17 00:00:00 2001
From: UmakanthKaspa <kaspaumakanth1999@gmail.com>
Date: Fri, 27 Feb 2026 16:00:29 +0000
Subject: [PATCH] fix: reject OAuth tokens for disabled users

---
 frappe/auth.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/frappe/auth.py b/frappe/auth.py
index 1658930317..4267c60f73 100644
--- a/frappe/auth.py
+++ b/frappe/auth.py
@@ -683,7 +683,10 @@ def validate_oauth(authorization_header):
 			uri, http_method, body, headers, required_scopes
 		)
 		if valid:
-			frappe.set_user(frappe.db.get_value("OAuth Bearer Token", token, "user"))
+			user = frappe.db.get_value("OAuth Bearer Token", token, "user")
+			if not frappe.db.get_value("User", user, "enabled"):
+				frappe.throw(_("User {0} is disabled").format(user), frappe.AuthenticationError)
+			frappe.set_user(user)
 			frappe.local.form_dict = form_dict
 	except AttributeError:
 		pass