Change method to protect password-base login

app/controllers/sessions_controller.rb

@@ -76,7 +76,7 @@ class SessionsController < Devise::SessionsController
         flash[:notice] = nil
       end
 
-      if password_based_login? && resource.user_authorized_by_provisioning_group?
+      if password_based_login? && resource.password_based_login_forbidden?
         sign_out
         flash[:alert] = _('You are not allowed to log in using password')
         redirect_to new_user_session_path

app/models/user.rb

@@ -1122,7 +1122,7 @@ class User < ApplicationRecord
   end
 
   # method overriden in EE
-  def user_authorized_by_provisioning_group?
+  def password_based_login_forbidden?
     false
   end
 

ee/app/models/ee/user.rb

@@ -328,7 +328,13 @@ module EE
       super
     end
 
-    override :user_authorized_by_provisioning_group?
+    override :password_based_login_forbidden?
+    def password_based_login_forbidden?
+      return true if user_authorized_by_provisioning_group?
+
+      super
+    end
+
     def user_authorized_by_provisioning_group?
       user_detail.provisioned_by_group? && ::Feature.enabled?(:block_password_auth_for_saml_users, user_detail.provisioned_by_group, type: :ops)
     end

lib/gitlab/auth/database/authentication.rb

@@ -9,7 +9,7 @@ module Gitlab
       class Authentication < Gitlab::Auth::OAuth::Authentication
         def login(login, password)
           return false unless Gitlab::CurrentSettings.password_authentication_enabled_for_git?
-          return false unless user.allow_password_authentication_for_git?
+          return false if user.password_based_login_forbidden?
 
           return user if user&.valid_password?(password)
         end