I’ve disabled users on my install and noticed that the public keys for those users still appear in the authorized_keys (even after rewriting the file in the admin console). These users still, as such, have read access to repositories.
I am openssh, not the built in ssh server for gogs.
I’ve also tried setting them to prohibited logon in addition to deactivating the accounts.
Gogs 0.11.34.1122, CentOS Linux release 7.5.1804 (Core), 10.1.33-MariaDB MariaDB Server.