I've just started with the security core and ui plugins. I notice that newly registered users are created with accountLocked set to TRUE.
The email verification process executes RegisterController.verifyRegistration which contains:
user.accountLocked = false
Although the email link does log me in, future login attempts get a "sorry your account is locked" message.
Is this normal? I'm not sure why the above statement didn't change that Boolean in the db.