If an attacker has stolen a user's session, they could previously brute
force attack the user's password reset page.

This change applies the existing Devise account lock out feature. It
would lock the user account after 10 attempts.

The attacker/user would be logged out and unable to log back in for 10
minutes.

The administrator could unlock the account at any time.

Normally, the user is sent unlock instructions, however, I think in this
scenario we should assume that the attacker has been able to change the
user's email address. We suppress the email to the user.

https://gitlab.com/gitlab-org/gitlab/-/issues/339154

Changelog: security