From 14b8fd7fa52171d1942fe5ecb167af971f37d8b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gina=20H=C3=A4u=C3=9Fge?= <gina@octoprint.org>
Date: Wed, 25 Oct 2017 17:30:56 +0200
Subject: [PATCH] Only send "deactivated" status if password matches

---
 src/octoprint/server/api/__init__.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/octoprint/server/api/__init__.py b/src/octoprint/server/api/__init__.py
index deb7225f..64082227 100644
--- a/src/octoprint/server/api/__init__.py
+++ b/src/octoprint/server/api/__init__.py
@@ -204,10 +204,10 @@ def login():
 
 		user = octoprint.server.userManager.findUser(username)
 		if user is not None:
-			if not user.is_active():
-				return make_response(("Your account is deactivated", 403, []))
-
 			if octoprint.server.userManager.checkPassword(username, password):
+				if not user.is_active():
+					return make_response(("Your account is deactivated", 403, []))
+
 				if octoprint.server.userManager.enabled:
 					user = octoprint.server.userManager.login_user(user)
 					session["usersession.id"] = user.session