Fix for disabled logged-in users (#6612)

fix https://github.com/FreshRSS/FreshRSS/issues/6611
Logged-in users were still able to use their account for some time despite having being disabled by admin

app/Models/Auth.php

@@ -31,15 +31,16 @@ class FreshRSS_Auth {
 			]);
 		}
 
-		if (self::$login_ok) {
-			self::giveAccess();
-		} elseif (self::accessControl() && self::giveAccess()) {
+		if (self::$login_ok && self::giveAccess()) {
+			return self::$login_ok;
+		}
+		if (self::accessControl() && self::giveAccess()) {
 			FreshRSS_UserDAO::touch();
-		} else {
-			// Be sure all accesses are removed!
-			self::removeAccess();
+			return self::$login_ok;
 		}
-		return self::$login_ok;
+		// Be sure all accesses are removed!
+		self::removeAccess();
+		return false;
 	}
 
 	/**
@@ -103,7 +104,7 @@ class FreshRSS_Auth {
 	 */
 	public static function giveAccess(): bool {
 		FreshRSS_Context::initUser();
-		if (!FreshRSS_Context::hasUserConf()) {
+		if (!FreshRSS_Context::hasUserConf() || !FreshRSS_Context::userConf()->enabled) {
 			self::$login_ok = false;
 			return false;
 		}

p/api/query.php

@@ -36,7 +36,7 @@ if (!FreshRSS_Context::hasSystemConf() || !FreshRSS_Context::systemConf()->api_e
 }
 
 FreshRSS_Context::initUser($user);
-if (!FreshRSS_Context::hasUserConf()) {
+if (!FreshRSS_Context::hasUserConf() || !FreshRSS_Context::userConf()->enabled) {
 	usleep(rand(100, 10000));	//Primitive mitigation of scanning for users
 	header('HTTP/1.1 404 Not Found');
 	header('Content-Type: text/plain; charset=UTF-8');