This tutorial describes how to create a custom user checker that will block login access if the User::$inactive property is set.
These instructions are based on How to Create and Enable Custom User Checkers in the Symfony documentation, and are specifically tailored to work with a boolean property in the User entity named $inactive. If you have configured your user entities differently, you can easily adapt these instructions to match your setup.
Create a custom user checker
Create a new src/Security/UserChecker.php file by copying the example in the Symfony documentation.
Replace the example tests in UserChecker::checkPreAuth() with the following code:
if ($user->isInactive()) {
// the message passed to this exception is meant to be displayed to the user.
throw new CustomUserMessageAccountStatusException('Your user account has been disabled.');
}
You will need to keep the checkPostAuth() method in your service, because it must be defined, but you can remove all code inside that method unless your project has a special requirement for this check.
Enable the checker in security settings
Next, add the code in config/packages/security.yaml needed to enable the checker (also found in the documentation. You'll probably want to add these lines as the first thing above whatever is already under the security/firewalls/main section.
Test the checker
Set the inactive flag for one of your users (preferably not admin!) then try to log in as that user. If everything is set up correctly, the user will be returned to the login form and see the message provided in the check above.