in our portal a new created user has to confirm it's password via email.
So we set the password to NOT enabled after user creation:
User user = userManager.getUser(userName);
PasswordCredential pwc = userManager.getPasswordCredential(user);
But the user can immediately log in, although the password is disabled.
I verified this in the database (security_credential.IS_ENABLED = 0).
The bug seems to be in the
where isEnabled() is never checked !