Personal access tokens work even when the account that created it is blocked
I have been using a personal access token for API calls in one of my applications. Usually, when my account was blocked, the token stopped working. Recently the Gitlab instance I am using was updated to 10.4.4-ee. And I have accidentally discovered that the token worked even when my account was blocked.
I think that tokens should stop working when a user is blocked, otherwise it defeats the purpose and is quite insecure.
Steps to reproduce
- Create a personal access token
- Block yourself
- Use token in an API request (I was able to unblock my user with my token)
What is the current bug behavior?
The token works as usual
What is the expected correct behavior?
The token shouldn't work if the user who generated it is blocked
Gitlab version: 10.4.4-ee