Do not trigger user_login event if authentication fails

Related: #4236

e107_handlers/login.php

@@ -625,7 +625,7 @@ class userlogin
 			return $message;
 		}
 
-		define('LOGINMESSAGE', $message);
+		defined('LOGINMESSAGE') or define('LOGINMESSAGE', $message);
 
 	//	$sql->update('online', 'user_active = 0 WHERE user_ip = "'.$this->userIP.'" LIMIT 1');
 

e107_handlers/user_model.php

@@ -1592,12 +1592,12 @@ class e_user extends e_user_model
 		if($this->isUser()) return false;
 
 		$userlogin = new userlogin();
-		$userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
-		
+		$loginSuccess = $userlogin->login($uname, $upass_plain, $uauto, $uchallange, $noredirect);
+
 		$userdata  = $userlogin->getUserData(); 
-		
 		$this->setSessionData(true)->setData($userdata);
-		
+		if ($loginSuccess === false) return false;
+
 		e107::getEvent()->trigger('user_login', $userdata); 	
 
 		return $this->isUser();

e107_tests/tests/unit/e_user_modelTest.php

@@ -388,4 +388,24 @@
 			$this->assertFalse($user->isUser());
 			$this->assertEmpty($user->getData());
 		}
+
+		public function testUserLoginFailureDoesNotTriggerUserLoginEvent()
+		{
+			$originalEventHandler = e107::getRegistry('core/e107/singleton/e107_event');
+			$mockEventHandler = $this->createMock(e107_event::class);
+			$mockEventHandler->expects($this->never())->method('trigger');
+			e107::setRegistry('core/e107/singleton/e107_event', $mockEventHandler);
+
+			try
+			{
+				$user = e107::getUser();
+				$user->login("e107", "DefinitelyTheWrongPassword");
+
+				e107::getEvent();
+			}
+			finally
+			{
+				e107::setRegistry('core/e107/singleton/e107_event', $originalEventHandler);
+			}
+		}
 	}