Fixes the check whether a user is actually locked.

Before, the user was claimed to be locked when any CASino::User sharing
the same username was locked. But a user is actually only locked, if he
does not have any CASino::User left, which is unlocked. The reason
herefore is, that he could have any secondary/legacy authentication
providers, on which he can never login. Therefore, one of his 'alter
egos' may be getting locked on any regular (and otherwise successful)
login attempt and he would be locked out regardless. That is now
changed, so that all CASino::Users sharing the same username must be
first be in locked state before one is considered locked.

Author: cimnine

app/helpers/casino/sessions_helper.rb

@@ -52,7 +52,16 @@ def sign_out
   end
 
   def user_locked?(username)
-    CASino::User.locked.where(username: username).any?
+    result = CASino::User.where(username: username)
+
+
+    # If we've never seen this user before, it can't be locked already.
+    return false if result.empty?
+
+    # A user is only locked, if all its CASino::Users, from all providers, are locked.
+    # Because it might be, that it is locked for one (e.g. legacy) provider, but not for another.
+    # So it should still have the chance to login to said other provider.
+    return result.where('locked_until IS NULL or locked_until <= :now', username: username, now: Time.now).empty?
   end
 
   def handle_failed_login(username)