diff --git a/internal/entity/auth_user.go b/internal/entity/auth_user.go
index 05635d3ba..4c9ce8395 100644
--- a/internal/entity/auth_user.go
+++ b/internal/entity/auth_user.go
@@ -390,7 +390,7 @@ func (m *User) UpdateLoginTime() *time.Time {
 func (m *User) CanLogIn() bool {
 	if m == nil {
 		return false
-	} else if m.Deleted() {
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
 		return false
 	} else if !m.CanLogin && !m.SuperAdmin || m.ID <= 0 || m.UserName == "" {
 		return false
@@ -403,7 +403,11 @@ func (m *User) CanLogIn() bool {
 
 // CanUseWebDAV checks whether the user is allowed to use WebDAV to synchronize files.
 func (m *User) CanUseWebDAV() bool {
-	if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
+	if m == nil {
+		return false
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
+		return false
+	} else if role := m.AclRole(); m.Disabled() || !m.WebDAV || m.ID <= 0 || m.UserName == "" || role == acl.RoleUnknown {
 		return false
 	} else {
 		return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
@@ -412,7 +416,11 @@ func (m *User) CanUseWebDAV() bool {
 
 // CanUpload checks if the user is allowed to upload files.
 func (m *User) CanUpload() bool {
-	if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
+	if m == nil {
+		return false
+	} else if m.Deleted() || m.HasProvider(authn.ProviderNone) {
+		return false
+	} else if role := m.AclRole(); m.Disabled() || role == acl.RoleUnknown {
 		return false
 	} else {
 		return acl.Resources.Allow(acl.ResourcePhotos, role, acl.ActionUpload)
@@ -493,6 +501,11 @@ func (m *User) Provider() authn.ProviderType {
 	return authn.ProviderNone
 }
 
+// HasProvider checks if the user has the given auth provider.
+func (m *User) HasProvider(t authn.ProviderType) bool {
+	return t.String() == m.Provider().String()
+}
+
 // SetProvider set the authentication provider.
 func (m *User) SetProvider(t authn.ProviderType) *User {
 	if m == nil {
diff --git a/internal/entity/auth_user_test.go b/internal/entity/auth_user_test.go
index 1680dcade..f3a16bea5 100644
--- a/internal/entity/auth_user_test.go
+++ b/internal/entity/auth_user_test.go
@@ -827,18 +827,36 @@ func TestUser_UpdateLoginTime(t *testing.T) {
 }
 
 func TestUser_CanLogIn(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanLogIn())
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanLogIn())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanLogIn())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanLogIn())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanLogIn())
 }
 
 func TestUser_CanUseWebDAV(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanUseWebDAV())
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanUseWebDAV())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanUseWebDAV())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanUseWebDAV())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanUseWebDAV())
 	assert.False(t, UserFixtures.Pointer("friend").CanUseWebDAV())
 }
 
-func TestUser_CanUpdate(t *testing.T) {
-	assert.True(t, UserFixtures.Pointer("alice").CanUpload())
+func TestUser_CanUpload(t *testing.T) {
+	alice := UserFixtures.Get("alice")
+	assert.True(t, alice.CanUpload())
+	alice.SetProvider(authn.ProviderNone)
+	assert.False(t, alice.CanUpload())
+	alice.SetProvider(authn.ProviderLocal)
+	assert.True(t, alice.CanUpload())
+
 	assert.False(t, UserFixtures.Pointer("deleted").CanUpload())
 	assert.True(t, UserFixtures.Pointer("friend").CanUpload())
 }