Sometimes you need to disable a users account, without deleting the account and the information related to that account. That's why previously in Controller and Views there was a user role named "Disabled." You can set the role to Disabled currently, but it doesn't do anything. Now we're going to change that.
The simplest solution to prevent a Disabled user account from accessing anything that they shouldn't is to simply redirect them to the logout() function after login. That way they have no access, but their information is still stored in the database should that user communicate with you to correct whatever issue caused you to disable their account.
public function login()
{
...
$user = $this->Authentication->getIdentity();
if ($user->getOriginalData()->is_disabled) {
$this->redirect([
'controller' => 'Users',
'action' => 'logout',
]);
}
...
}