i forgot to put this in the what's new of this build
* disabled accounts' credentials were accepted for unprotected resources, now are not (just a formal thing, not a security problem)
to reproduce
1 create an account
2 disable it
3 access an unprotected folder
4 log in
5 enter user/pass of the disabled account
6 the login is accepted
you won't access anything you should not, so this is not a security problem, but it's formally wrong i think, so i changed it.