Symfony version(s) affected: 4.0

Description
I'm implementing a brute force protection for my login/register etc. forms. I have a "soft threshold" (CAPTCHA needed) and a "hard threshold" (no further interaction is allowed).

To achieve the latter, I've set disabled: true on the form itself. This works as I'd have expect, fully disabling the form for user interaction while rendered in the browser.

What I did not expect was that now, since there are no types being considered, the form suddenly becomes valid and passes any validations, it even claims it's been submitted (but this shouldn't even be possible with a fully disabled form).

It seems to me disabling the root form object should mean it's not considered submitted / valid.

How to reproduce

Create a form with a validator, submit to confirm it fails. Now change to disabled: true and submit again. Now it suddenly passes validation even though the form is disabled and shouldn't work at all.

Possible Solution
Perhaps isSubmitted(): false if disabled: true?