From the devise doku for authenticatable.rb:
Before authenticating a user and in each request, Devise checks if your model is active by calling model.active_for_authentication?. This method is overwriten by other devise modules. For instance, :confirmable overwrites .active_for_authentication? to only return true if your model was confirmed.
You overwrite this method yourself, but if you do, don’t forget to call super:
def active_for_authentication?
super && special_condition_is_valid?
end
So, when you have a flag blocked in the user database, the method in the user model looks something like this:
def active_for_authentication?
super && !self.blocked
end