When a user is disabled, their repository permissions stay around. The user should be removed from the permissions or Read access should be taken away. The fact that the user stays around in this setting is a possible security concern if that user is ever enabled again. They may get access back to a repository they should not have access to at the time the account is enabled again.