From 723cf9443e553adcd92fda13acc4d64d6c6cbe24 Mon Sep 17 00:00:00 2001
From: Stephen Hu <stephenhu@seismic.com>
Date: Sun, 28 Sep 2025 12:18:01 +0800
Subject: [PATCH] Fix:After setting user's is_active to 0, the user can still
 log in to RAGFlow. (#10325)

### What problem does this PR solve?

https://github.com/infiniflow/ragflow/issues/10293

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
---
 api/apps/user_app.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/api/apps/user_app.py b/api/apps/user_app.py
index 95a6e2dc4..3415b33fb 100644
--- a/api/apps/user_app.py
+++ b/api/apps/user_app.py
@@ -98,6 +98,15 @@ def login():
         return get_json_result(data=False, code=settings.RetCode.SERVER_ERROR, message="Fail to crypt password")
 
     user = UserService.query_user(email, password)
+
+    if user and hasattr(user, 'is_active') and user.is_active == "0":
+        return get_json_result(
+            data=False,
+            code=settings.RetCode.FORBIDDEN,
+            message="This account has been disabled, please contact the administrator!",
+        )
+
+
     if user:
         response_data = user.to_json()
         user.access_token = get_uuid()