On Mar 24, 2014, at 5:10 AM, Froilan Olavidez wrote:
> Hi All,
>
> I would like to know how can i determine if the user is already locked during sign in. When the user enters a valid username/email address with correct password but his/her account is tagged as locked, the system throws error message that the account is already locked, this is the current correct behaviour of the devise lockable module.
>
> However, when the user enters valid username/email address with INCORRECT password, Devise didn't recognize that the user is already locked and throws error message that login details is invalid.
>
> What I want to achieve is, when the user account is already locked and the users enter valid username/email add with either CORRECT or INCORRECT password, devise will throw an error message stating that account is already locked.
>
> What implementation I need to do? Maybe override some model functions to achieve this?
I think that this would violate one of Devise's rules of engagement -- never give away details to an unauthenticated person. If you know the username and password, then you get more detail about why you can't log in. But if you don't know both, you get the "no-answer" that you give to anyone who can't log in for any reason. You don't tell them that the email is right but the password is wrong, or vice-versa, because that gives one of the keys to an attacker. I think this falls into that same valley.
Walter
>
> I am using Rails 4 and latest devise gem in my application.
>
> Please advise and thanks in advance.
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "Devise" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
plataformatec-de...@googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.