Inactive user can login to the application

Description

Reproduction steps

  • Create a new user

  • Make the new user inactive: active=false; loginRestricted=true (most likely using the REST API)

  • Try to log in

Actual Result

  • The user can log in even though the account is inactive

Expected Results

  • a user with MANAGE_USERS role should be able to change user’s enabled flag

    • yes means that a user can log into the system

    • no means that a user cannot log into the system

  • a user should be able to log into the system if the flag is set to true

  • a user should not be able to log into the system if the flag is set to false

  • a user should be able to update his/her profile but the user should not be able to change the value of the flag

Environment

None

Status

Assignee

Łukasz Lewczyński

Reporter

Nikodem Graczewski

Labels

Story Points

2

Time tracking

24h

Components

Sprint

None

Fix versions

Priority

Critical
Configure