Merge pull request #4238 from Deltik/fix-4236

Fixes #4236 Don't populate e_user_model as a logged in user if the password is wrong

e107_handlers/login.php

@@ -342,8 +342,8 @@ class userlogin
 	 * Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE
 	 * @param string $username - as entered
 	 * @param boolean $forceLogin - TRUE if login is being forced from clicking signup link; normally FALSE
-	 * @return TRUE if name exists, and $this->userData array set up
-	 *		   otherwise FALSE
+	 * @return boolean TRUE if name exists, and $this->userData array set up
+	 *		           FALSE otherwise
 	 */
 	protected function lookupUser($username, $forceLogin)
 	{
@@ -540,7 +540,7 @@ class userlogin
 		global $pref, $sql;
 
 		$doCheck = FALSE;			// Flag set if need to ban check
-
+		$this->userData = array();
 
 		switch($reason)
 		{
@@ -625,7 +625,7 @@ class userlogin
 			return $message;
 		}
 
-		define('LOGINMESSAGE', $message);
+		defined('LOGINMESSAGE') or define('LOGINMESSAGE', $message);
 
 	//	$sql->update('online', 'user_active = 0 WHERE user_ip = "'.$this->userIP.'" LIMIT 1');
 

e107_handlers/user_model.php

@@ -1592,12 +1592,12 @@ class e_user extends e_user_model
 		if($this->isUser()) return false;
 
 		$userlogin = new userlogin();
-		$userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
-		
+		$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
+
 		$userdata  = $userlogin->getUserData(); 
-		
 		$this->setSessionData(true)->setData($userdata);
-		
+		if ($loginSuccess === false) return false;
+
 		e107::getEvent()->trigger('user_login', $userdata); 	
 
 		return $this->isUser();

e107_tests/tests/unit/e_user_modelTest.php

@@ -377,7 +377,35 @@
 
 		}
 */
+		/**
+		 * @see https://github.com/e107inc/e107/issues/4236
+		 */
+		public function testUserLoginWrongCredentialsNotUser()
+		{
+			$user = e107::getUser();
+			$user->login("e107", "DefinitelyTheWrongPassword");
 
+			$this->assertFalse($user->isUser());
+			$this->assertEmpty($user->getData());
+		}
 
+		public function testUserLoginFailureDoesNotTriggerUserLoginEvent()
+		{
+			$originalEventHandler = e107::getRegistry('core/e107/singleton/e107_event');
+			$mockEventHandler = $this->createMock(e107_event::class);
+			$mockEventHandler->expects($this->never())->method('trigger');
+			e107::setRegistry('core/e107/singleton/e107_event', $mockEventHandler);
 
+			try
+			{
+				$user = e107::getUser();
+				$user->login("e107", "DefinitelyTheWrongPassword");
+
+				e107::getEvent();
+			}
+			finally
+			{
+				e107::setRegistry('core/e107/singleton/e107_event', $originalEventHandler);
+			}
+		}
 	}