Comment 1 for bug 919240

I would agree that if it were an enabled user, we should return a 403. But in the case of a disabled user, we aren't actually checking any authorization rules. We can't get that far since they haven't authenticated as a valid user. So our response here is "Hey, go re-authenticate and try again". 403 means "yeah we know who you are, but we aren't going to let you do that".