I have changed the flash string from 'Account locked' to 'Your account is locked. Please contact the Administrator.'
I have a scenario.
I have only one user in pgAdmin.
What would happen then?
+ Does it lock that user too?
Yes.
+ If yes - do we have information in the document to unlock that user?
I hope so :-p
I am also curious about another case. A hacker can use multiple users for the same.
Should we also lock/avoid requests from a particular ip-address/machine for X minutes/hours?
That's more difficult to deal with - there are common deployment scenarios where all connections might appear to come from a single IP, for example, when behind a load balancer (there are good reasons to do that, even with a single pgAdmin instance) or proxy. In such cases we may or may not get an X-Forwarded-For header, and even if we do it may not be reliable.