From 00a01c2bc494ce17269036fadd62ff14a76833ca Mon Sep 17 00:00:00 2001
From: Drew Ulmer <latortuga@gmail.com>
Date: Thu, 25 Oct 2012 16:51:56 -0500
Subject: [PATCH] Fix #1994 Lockable no longer leaks account existence

---
 lib/devise/models/lockable.rb | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/devise/models/lockable.rb b/lib/devise/models/lockable.rb
index 98b810f8..56ccd6c6 100644
--- a/lib/devise/models/lockable.rb
+++ b/lib/devise/models/lockable.rb
@@ -105,7 +105,11 @@ module Devise
       end
 
       def unauthenticated_message
-        if lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
+        # If set to paranoid mode, do not show the locked message because it
+        # leaks the existence of an account.
+        if Devise.paranoid
+          super
+        elsif lock_strategy_enabled?(:failed_attempts) && attempts_exceeded?
           :locked
         else
           super