diff --git a/api/controllers/AccountsController.php b/api/controllers/AccountsController.php
index e349d18..1f12be4 100644
--- a/api/controllers/AccountsController.php
+++ b/api/controllers/AccountsController.php
@@ -1,6 +1,7 @@
 <?php
 namespace api\controllers;
 
+use api\filters\ActiveUserRule;
 use api\models\profile\AcceptRulesForm;
 use api\models\profile\ChangeEmail\ConfirmNewEmailForm;
 use api\models\profile\ChangeEmail\InitStateForm;
@@ -27,6 +28,7 @@ class AccountsController extends Controller {
                         'roles' => ['@'],
                     ],
                     [
+                        'class' => ActiveUserRule::class,
                         'actions' => [
                             'change-password',
                             'change-username',
@@ -35,14 +37,6 @@ class AccountsController extends Controller {
                             'change-email-confirm-new-email',
                             'change-lang',
                         ],
-                        'allow' => true,
-                        'roles' => ['@'],
-                        'matchCallback' => function() {
-                            $account = Yii::$app->user->identity;
-
-                            return $account->status > Account::STATUS_REGISTERED
-                                && $account->isAgreedWithActualRules();
-                        },
                     ],
                 ],
             ],
diff --git a/api/controllers/OauthController.php b/api/controllers/OauthController.php
index 0a0328f..bcf224b 100644
--- a/api/controllers/OauthController.php
+++ b/api/controllers/OauthController.php
@@ -1,6 +1,7 @@
 <?php
 namespace api\controllers;
 
+use api\filters\ActiveUserRule;
 use common\components\oauth\Exception\AcceptRequiredException;
 use common\components\oauth\Exception\AccessDeniedException;
 use common\models\OauthClient;
@@ -27,9 +28,8 @@ class OauthController extends Controller {
                         'roles' => ['?'],
                     ],
                     [
+                        'class' => ActiveUserRule::class,
                         'actions' => ['complete'],
-                        'allow' => true,
-                        'roles' => ['@'],
                     ],
                 ],
             ],
diff --git a/api/filters/ActiveUserRule.php b/api/filters/ActiveUserRule.php
new file mode 100644
index 0000000..4b803bd
--- /dev/null
+++ b/api/filters/ActiveUserRule.php
@@ -0,0 +1,31 @@
+<?php
+namespace api\filters;
+
+use common\models\Account;
+use Yii;
+use yii\filters\AccessRule;
+
+class ActiveUserRule extends AccessRule {
+
+    public $roles = ['@'];
+
+    public $allow = true;
+
+    /**
+     * @inheritdoc
+     */
+    protected function matchCustom($action) {
+        $account = $this->getIdentity();
+
+        return $account->status > Account::STATUS_REGISTERED
+            && $account->isAgreedWithActualRules();
+    }
+
+    /**
+     * @return \api\models\AccountIdentity|null
+     */
+    protected function getIdentity() {
+        return Yii::$app->getUser()->getIdentity();
+    }
+
+}
diff --git a/tests/codeception/api/unit/filters/ActiveUserRuleTest.php b/tests/codeception/api/unit/filters/ActiveUserRuleTest.php
new file mode 100644
index 0000000..d48f29a
--- /dev/null
+++ b/tests/codeception/api/unit/filters/ActiveUserRuleTest.php
@@ -0,0 +1,60 @@
+<?php
+namespace tests\codeception\api\unit\filters;
+
+use api\filters\ActiveUserRule;
+use api\models\AccountIdentity;
+use Codeception\Specify;
+use common\models\Account;
+use tests\codeception\api\unit\TestCase;
+use tests\codeception\common\_support\ProtectedCaller;
+use const common\LATEST_RULES_VERSION;
+use yii\base\Action;
+
+class ActiveUserRuleTest extends TestCase {
+    use Specify;
+    use ProtectedCaller;
+
+    public function testMatchCustom() {
+        $account = new AccountIdentity();
+
+        $this->specify('get false if user not finished registration', function() use (&$account) {
+            $account->status = 0;
+            $filter = $this->getFilterMock($account);
+            expect($this->callProtected($filter, 'matchCustom', new Action(null, null)))->false();
+        });
+
+        $this->specify('get false if user have old EULA agreement', function() use (&$account) {
+            $account->status = Account::STATUS_ACTIVE;
+            $account->rules_agreement_version = null;
+            $filter = $this->getFilterMock($account);
+            expect($this->callProtected($filter, 'matchCustom', new Action(null, null)))->false();
+        });
+
+        $this->specify('get true if user fully active', function() use (&$account) {
+            $account->status = Account::STATUS_ACTIVE;
+            $account->rules_agreement_version = LATEST_RULES_VERSION;
+            $filter = $this->getFilterMock($account);
+            expect($this->callProtected($filter, 'matchCustom', new Action(null, null)))->true();
+        });
+    }
+
+    /**
+     * @param AccountIdentity $returnIdentity
+     * @return ActiveUserRule|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private function getFilterMock(AccountIdentity $returnIdentity) {
+        /** @var ActiveUserRule|\PHPUnit_Framework_MockObject_MockObject $filter */
+        $filter = $this
+            ->getMockBuilder(ActiveUserRule::class)
+            ->setMethods(['getIdentity'])
+            ->getMock();
+
+        $filter
+            ->expects($this->any())
+            ->method('getIdentity')
+            ->will($this->returnValue($returnIdentity));
+
+        return $filter;
+    }
+
+}