Affected Version: 2.5.1
What steps will reproduce the problem?
1. disable a user in LDAP or OpenID
2. ssh as that user
What is the expected output? What do you see instead?
You can still access things at the permissions you had before the LDAP or OpenID account was disabled.
I expected the SSH access to fail.
This is a huge problem if an admin leaves a business, etc. since they would still have full access via SSH.
Please provide any additional information below.
There is issue #1061 for disabling accounts. Adding a "disabled_at" column to the database would go a long way towards closing this hole. It would still require either a script or person going into gerrit and disabling the account, but at least it would prevent people from SSH'ing into gerrit after they have left.