Currently, a disabled user is still authenticated and set in the standard context and only really taken into account in XWiki#prepareDocuments which generate an exception for all actions but only
But it's not taken into account in the REST API (or all resource reference handler which require an authenticated user) which means the user can pretty much do anything it wants (including enabling itself I think, unless there is a listener to protect that).
IMO, the user should be authenticated but should not be set as context user and instead be set in a special property storing the disabled user so that things related to disabled user can check it. That way, the access is safe by default (most of the code will see the context as not being authenticated) and only if you want to do something special with disabled user (like a process to be granted access again) you still have the info.
- Create a user Foo and disable it
- Send following request with Foo authentication headers:
- Login with Foo on the wiki
- Foo should still be disabled and the CURL request should not work
- Foo is now enabled