lib/devise/models/lockable.rb in devise-2.1.4 vs lib/devise/models/lockable.rb in devise-2.2.0.rc

@@ -25,11 +25,11 @@
       delegate :lock_strategy_enabled?, :unlock_strategy_enabled?, :to => "self.class"
 
       def self.required_fields(klass)
         attributes = []
         attributes << :failed_attempts if klass.lock_strategy_enabled?(:failed_attempts)
-        attributes << :unlock_at if klass.unlock_strategy_enabled?(:time)
+        attributes << :locked_at if klass.unlock_strategy_enabled?(:time)
         attributes << :unlock_token if klass.unlock_strategy_enabled?(:email)
 
         attributes
       end
 
@@ -103,10 +103,14 @@
           false
         end
       end
 
       def unauthenticated_message
-        if lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        # If set to paranoid mode, do not show the locked message because it
+        # leaks the existence of an account.
+        if Devise.paranoid
+          super
+        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
           :locked
         else
           super
         end
       end