I'm using the old 5.2 Security component, since we don't have docs for the new system yet.

I noticed that when User::isEnabled() returns false (for example if the user is banned or not yet approved), at login the user is shown "Bad credentials" error, because of this:

A DisabledException is thrown...

Which extends AccountStatusException...

Which throws a BadCredentialsException

This was changed in May, here: https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms

But I do not think this is a proper solution, if a user is banned or pending approval, and they insert the valid credentials, they shouldn't see an "Invalid credential" errors, this will make them think they forgot the password or their account has been stolen, and try to reset the password... (without success, since after the reset the same error will be shown, so they will end up contacting the admin in despair)

In my case I did this in login controller:

if(is_a($error, DisabledException::class) && $error->getUser()->isStatus(User::STATUS_PENDING_APPROVAL)) {
    // Show "please wait to be approved" message
}

Which is not working anymore.

A workaround is to set hide_user_not_found: false, but this will cause other unwanted effects (and as per the option name, it should regard "not found" users, not "disabled" ones)