Merge pull request #4238 from Deltik/fix-4236

Fixes #4236 Don't populate e_user_model as a logged in user if the password is wrong
2025-08-05 06:07:32 +02:00 · 2020-09-17 12:43:22 -07:00
parent daf77daa21 4fbf4a93ca
commit 49c1a0eb10
3 changed files with 36 additions and 8 deletions
--- a/e107_handlers/login.php
+++ b/e107_handlers/login.php
@@ -342,8 +342,8 @@ class userlogin
 	 * Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE
 	 * @param string $username - as entered
 	 * @param boolean $forceLogin - TRUE if login is being forced from clicking signup link; normally FALSE
-	 * @return TRUE if name exists, and $this->userData array set up
+	 * @return boolean TRUE if name exists, and $this->userData array set up
-	 *		   otherwise FALSE
+	 *		           FALSE otherwise
 	 */
 	protected function lookupUser($username, $forceLogin)
 	{
@@ -540,7 +540,7 @@ class userlogin
 		global $pref, $sql;
 		$doCheck = FALSE;			// Flag set if need to ban check
-
+		$this->userData = array();
 		switch($reason)
 		{
@@ -625,7 +625,7 @@ class userlogin
 			return $message;
 		}
-		define('LOGINMESSAGE', $message);
+		defined('LOGINMESSAGE') or define('LOGINMESSAGE', $message);
 	//	$sql->update('online', 'user_active = 0 WHERE user_ip = "'.$this->userIP.'" LIMIT 1');
--- a/e107_handlers/user_model.php
+++ b/e107_handlers/user_model.php
@@ -1592,11 +1592,11 @@ class e_user extends e_user_model
 		if($this->isUser()) return false;
 		$userlogin = new userlogin();
-		$userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
+		$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
 		$userdata  = $userlogin->getUserData(); 
 		$this->setSessionData(true)->setData($userdata);
 		if ($loginSuccess === false) return false;
 		e107::getEvent()->trigger('user_login', $userdata); 	
--- a/e107_tests/tests/unit/e_user_modelTest.php
+++ b/e107_tests/tests/unit/e_user_modelTest.php
@@ -377,7 +377,35 @@
 		}
 */
 		/**
 		 * @see https://github.com/e107inc/e107/issues/4236
 		 */
 		public function testUserLoginWrongCredentialsNotUser()
 		{
 			$user = e107::getUser();
 			$user->login("e107", "DefinitelyTheWrongPassword");
-
+			$this->assertFalse($user->isUser());
-
+			$this->assertEmpty($user->getData());
 		}
 		public function testUserLoginFailureDoesNotTriggerUserLoginEvent()
 		{
 			$originalEventHandler = e107::getRegistry('core/e107/singleton/e107_event');
 			$mockEventHandler = $this->createMock(e107_event::class);
 			$mockEventHandler->expects($this->never())->method('trigger');
 			e107::setRegistry('core/e107/singleton/e107_event', $mockEventHandler);
 			try
 			{
 				$user = e107::getUser();
 				$user->login("e107", "DefinitelyTheWrongPassword");
 				e107::getEvent();
 			}
 			finally
 			{
 				e107::setRegistry('core/e107/singleton/e107_event', $originalEventHandler);
 			}
 		}
 	}