October: Disabled plugin's controllers are still accessible

@LukeTowers - confirmed.
Sidebar is removed, but with absolute URL it's accessible.

Settings:

Plugins Page:

@w20k could you look into why that's happening?

@LukeTowers, I will, already started debugging ;)

@LukeTowers, found the spot, but not yet sure about how plugins $id is generated (is it as simple as ucfirst($author) . '.' . ucfirst($plugin)? ).

It looks up for a plugin controller, but doesn't check if plugin is disabled or not.
https://github.com/octobercms/october/blob/master/modules/backend/classes/BackendController.php#L107

@w20k you should be able to use this: https://github.com/octobercms/october/blob/master/modules/system/classes/PluginManager.php#L505

PluginManager::instance()->isDisabled($author . '\\' . $plugin);

That could probably go right after the list(author, plugin) call to prevent the further code from running

@LukeTowers tried this way while testing. Didn't work. Namespace and pluginsId should start with capitalized letters (namespace: October\Test or id: October.Test).
Could the URL be different from the pluginId? I guess not 😅

This worked like charm, will make a PR either today, or tomorrow.

if (!PluginManager::instance()->isDisabled(ucfirst($author) . '.' . ucfirst($plugin))){
....
}

Found one strange behaviour, looking at it right now.

@LukeTowers if it would open default blank backend page is it correct behaviour or should show 404?

@w20k it should pass the request off to be handled by the CMS 404 page, or however a 404 in the backend typically works

Sorry for taking so looong ;)

PR Fix