diff --git a/src/applications/auth/controller/PhabricatorAuthNeedsApprovalController.php b/src/applications/auth/controller/PhabricatorAuthNeedsApprovalController.php
index 88565243c3..d0ff45b38c 100644
--- a/src/applications/auth/controller/PhabricatorAuthNeedsApprovalController.php
+++ b/src/applications/auth/controller/PhabricatorAuthNeedsApprovalController.php
@@ -11,6 +11,10 @@ final class PhabricatorAuthNeedsApprovalController
     return false;
   }
 
+  public function shouldRequireEnabledUser() {
+    return false;
+  }
+
   public function processRequest() {
     $request = $this->getRequest();
     $user = $request->getUser();
diff --git a/src/applications/auth/controller/PhabricatorEmailVerificationController.php b/src/applications/auth/controller/PhabricatorEmailVerificationController.php
index 091575309e..87c9c746f1 100644
--- a/src/applications/auth/controller/PhabricatorEmailVerificationController.php
+++ b/src/applications/auth/controller/PhabricatorEmailVerificationController.php
@@ -15,10 +15,22 @@ final class PhabricatorEmailVerificationController
     return false;
   }
 
+  public function shouldRequireEnabledUser() {
+    // Unapproved users are allowed to verify their email addresses. We'll kick
+    // disabled users out later.
+    return false;
+  }
+
   public function processRequest() {
     $request = $this->getRequest();
     $user = $request->getUser();
 
+    if ($user->getIsDisabled()) {
+      // We allowed unapproved and disabled users to hit this controller, but
+      // want to kick out disabled users now.
+      return new Aphront400Response();
+    }
+
     $email = id(new PhabricatorUserEmail())->loadOneWhere(
       'userPHID = %s AND verificationCode = %s',
       $user->getPHID(),