SECURITY: Do not sign in unapproved users (PR #15555)

GitHub

The title of this pull request changed from “SECURITY: Do not sign in unapproved users (#15552)” to "SECURITY: Do not sign in unapproved users

confused about this PR, I thought the CVE will handle this?

Note this PR is against stable - it’s the backport for 584c6a2e. @udan11 ready to merge?

not sure if we need to pick up this change … but it seems low risk enough.