diff --git a/app/data/groups.yaml b/app/data/groups.yaml
index 8e99afd..d7fe71c 100644
--- a/app/data/groups.yaml
+++ b/app/data/groups.yaml
@@ -1,6 +1,6 @@
 -
  name:  Administrateur
- css:   "color: #ee0000"
+ css:   "color: #ee0000;"
  descr: "Vous voyez Chuck Norris ? Pareil."
  privs: access-admin-board access-assoc-board write-news
         upload-shared-files delete-shared-files
@@ -14,7 +14,7 @@
         delete_notification
 -
  name:  Modérateur
- css:   "color: green"
+ css:   "color: green;"
  descr: "Maîtres du kick, ils sont là pour faire respecter un semblant d'ordre."
  privs: access-admin-board
         edit-posts delete-posts
@@ -24,7 +24,7 @@
         unlimited-pms
 -
  name:  Développeur
- css:   "color: #4169e1"
+ css:   "color: #4169e1;"
  descr: "Les développeurs maintiennent et améliorent le code du site."
  privs: access-admin-board
         upload-shared-files delete-shared-files
@@ -34,7 +34,7 @@
         access-admin-panel
 -
  name:  Rédacteur
- css:   "color: blue"
+ css:   "color: blue;"
  descr: "Rédigent les meilleurs articles de la page d'accueil, rien que pour
          vous <3"
  privs: access-admin-board write-news
@@ -43,7 +43,7 @@
         showcase-content edit-static-content
 -
  name:  Responsable communauté
- css:   "color: DarkOrange"
+ css:   "color: DarkOrange;"
  descr: "Anime les pages Twitter et Facebook de Planète Casio et surveille
          l'évolution du monde autour de nous !"
  privs: access-admin-board write-news
@@ -52,22 +52,26 @@
         showcase-content
 -
  name:  Partenaire
- css:   "color: purple"
+ css:   "color: purple;"
  descr: "Membres de l'équipe d'administration des sites partenaires."
  privs: write-news
         upload-shared-files delete-shared-files
         scheduled-posting
 -
  name:  Compte communautaire
- css:   "background:#d8d8d8; border-radius:4px; color:#303030; padding:1px 2px"
+ css:   "background:#d8d8d8; border-radius:4px; color:#303030; padding:1px 2px;"
  descr: "Compte à usage général de l'équipe de Planète Casio."
 -
  name:  Robot
- css:   "color: #cf25d0"
+ css:   "color: #cf25d0;"
  descr: "♫ Je suis Nono, le petit robot, l'ami d'Ulysse ♫"
  privs: shoutbox-post shoutbox-kick shoutbox-ban
 -
  name:  Membre de CreativeCalc
- css:   "color: #222222"
+ css:   "color: #222222;"
  descr: "CreativeCalc est l'association qui gère Planète Casio."
  privs: access-assoc-board
+-
+  name: No login
+  css: "color: #888888;"
+  descr: "Compte dont l'accès au site est désactivé."
diff --git a/app/routes/account/login.py b/app/routes/account/login.py
index a12bda2..37fbda5 100644
--- a/app/routes/account/login.py
+++ b/app/routes/account/login.py
@@ -3,6 +3,7 @@ from flask_login import login_user, logout_user, login_required, current_user
 from app import app
 from app.forms.login import LoginForm
 from app.models.users import Member
+from app.models.privs import Group
 from app.utils.render import render
 
 
@@ -14,16 +15,39 @@ def login():
     form = LoginForm()
     if form.validate_on_submit():
         member = Member.query.filter_by(name=form.username.data).first()
+
+        # Check if member can login
+        if "No login" in [g.name for g in member.groups]:
+            flash('Cet utilisateur ne peut pas se connecter', 'error')
+            if request.referrer:
+                return redirect(request.referrer)
+            return redirect(url_for('index'))
+
+        # Check if password is ok
         if member is None or not member.check_password(form.password.data):
             flash('Pseudo ou mot de passe invalide', 'error')
-            return redirect(request.referrer)
+            if request.referrer:
+                return redirect(request.referrer)
+            return redirect(url_for('index'))
+
+        # Login & update time-based trophies
         login_user(member, remember=form.remember_me.data)
         member.update_trophies("on-login")
-        if request.args.get('next'):
-            return redirect(request.args.get('next'))
+
+        # Redirect safely (https://huit.re/open-redirect)
+        def is_safe_url(target):
+            ref_url = urlparse(request.host_url)
+            test_url = urlparse(urljoin(request.host_url, target))
+            return test_url.scheme in ('http', 'https') and \
+                   ref_url.netloc == test_url.netloc
+
+        next = request.args.get('next')
+        if next and is_safe_url(next):
+            return redirect(next)
         if request.referrer:
             return redirect(request.referrer)
         return redirect(url_for('index'))
+
     return render('login.html', form=form)
 
 
diff --git a/master.py b/master.py
index 20a5490..10aa9ce 100755
--- a/master.py
+++ b/master.py
@@ -124,13 +124,15 @@ def create_groups_and_privs():
         if g is not None:
             member.groups.append(g)
 
-    m = Member("PlanèteCasio", "contact@planet-casio.com", "v5-forever")
+    m = Member("PlanèteCasio", "contact@planet-casio.com", "nologin")
     addgroup(m, "Compte communautaire")
+    addgroup(m, "No login")
     db.session.add(m)
 
-    m = Member("GLaDOS", "glados@aperture.science", "v5-forever")
+    m = Member("GLaDOS", "glados@aperture.science", "nologin")
     m.xp = 1338
     addgroup(m, "Robot")
+    addgroup(m, "No login")
     db.session.add(m)
     db.session.commit()