Devise::Models::Lockable

def self.required_fields(klass)

def self.required_fields(klass)
  attributes = []
  attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
  attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
  attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
  attributes
end

def access_locked?

Verifies whether a user is locked or not.

def access_locked?
  locked_at && !lock_expired?
end

def active_for_authentication?

by verifying whether a user is active to sign in or not based on locked?
Overwrites active_for_authentication? from Devise::Models::Activatable for locking purposes

def active_for_authentication?
  super && !access_locked?
end

def attempts_exceeded?

def attempts_exceeded?
  self.failed_attempts > self.class.maximum_attempts
end

def generate_unlock_token

Generates unlock token

def generate_unlock_token
  self.unlock_token = self.class.unlock_token
end

def generate_unlock_token!

def generate_unlock_token!
  generate_unlock_token && save(:validate => false)
end

def if_access_locked

if it's locked, otherwise adds an error to email.
Checks whether the record is locked or not, yielding to the block

def if_access_locked
  if access_locked?
    yield
  else
    self.errors.add(:email, :not_locked)
    false
  end
end

def inactive_message

the correct reason for blocking the sign in.
Overwrites invalid_message from Devise::Models::Authenticatable to define

def inactive_message
  access_locked? ? :locked : super
end

def lock_access!

Lock a user setting its locked_at to actual time.

def lock_access!
  self.locked_at = Time.now.utc
  if unlock_strategy_enabled?(:email)
    generate_unlock_token!
    send_unlock_instructions
  else
    save(:validate => false)
  end
end

def lock_expired?

Tells if the lock is expired if :time unlock strategy is active

def lock_expired?
  if unlock_strategy_enabled?(:time)
    locked_at && locked_at < self.class.unlock_in.ago
  else
    false
  end
end

def resend_unlock_token

Resend the unlock instructions if the user is locked.

def resend_unlock_token
  if_access_locked { send_unlock_instructions }
end

def send_unlock_instructions

Send unlock instructions by email

def send_unlock_instructions
  send_devise_notification(:unlock_instructions)
end

def unauthenticated_message

def unauthenticated_message
  # If set to paranoid mode, do not show the locked message because it
  # leaks the existence of an account.
  if Devise.paranoid
    super
  elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
    :locked
  else
    super
  end
end

def unlock_access!

Unlock a user by cleaning locked_at and failed_attempts.

def unlock_access!
  self.locked_at = nil
  self.failed_attempts = 0 if respond_to?(:failed_attempts=)
  self.unlock_token = nil  if respond_to?(:unlock_token=)
  save(:validate => false)
end

def valid_for_authentication?

is locked, it should never be allowed.
for verifying whether a user is allowed to sign in or not. If the user
Overwrites valid_for_authentication? from Devise::Models::Authenticatable

def valid_for_authentication?
  return super unless persisted? && lock_strategy_enabled?(:failed_attempts)
  # Unlock the user if the lock is expired, no matter
  # if the user can login or not (wrong password, etc)
  unlock_access! if lock_expired?
  if super && !access_locked?
    true
  else
    self.failed_attempts ||= 0
    self.failed_attempts += 1
    if attempts_exceeded?
      lock_access! unless access_locked?
    else
      save(:validate => false)
    end
    false
  end
end

Modules

Classes

module Devise::Models::Lockable