Allow superusers to disable user accounts

auth/auth.py

@@ -35,6 +35,10 @@ def _load_user_from_cookie():
     logger.debug('Loading user from cookie: %s', current_user.get_id())
     db_user = current_user.db_user()
     if db_user is not None:
+      # Don't allow disabled users to login.
+      if not db_user.enabled:
+        return None
+
       set_authenticated_user(db_user)
       loaded = QuayDeferredPermissionUser.for_user(db_user)
       identity_changed.send(app, identity=loaded)
@@ -62,6 +66,10 @@ def _validate_and_apply_oauth_token(token):
     abort(401, message='OAuth access token has expired: %(token)s',
           issue='invalid-oauth-token', token=token, headers=authenticate_header)
 
+  # Don't allow disabled users to login.
+  if not validated.authorized_user.enabled:
+    return None
+
   # We have a valid token
   scope_set = scopes.scopes_from_scope_string(validated.scope)
   logger.debug('Successfully validated oauth access token: %s with scope: %s', token,