Do not populate e_user_model as a logged in user if login failed

Fixes: #4236

e107_handlers/login.php

@@ -342,8 +342,8 @@ class userlogin
 	 * Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE
 	 * @param string $username - as entered
 	 * @param boolean $forceLogin - TRUE if login is being forced from clicking signup link; normally FALSE
-	 * @return TRUE if name exists, and $this->userData array set up
-	 *		   otherwise FALSE
+	 * @return boolean TRUE if name exists, and $this->userData array set up
+	 *		           FALSE otherwise
 	 */
 	protected function lookupUser($username, $forceLogin)
 	{
@@ -540,7 +540,7 @@ class userlogin
 		global $pref, $sql;
 
 		$doCheck = FALSE;			// Flag set if need to ban check
-
+		$this->userData = array();
 
 		switch($reason)
 		{

e107_tests/tests/unit/e_user_modelTest.php

@@ -377,7 +377,15 @@
 
 		}
 */
+		/**
+		 * @see https://github.com/e107inc/e107/issues/4236
+		 */
+		public function testUserLoginWrongCredentialsNotUser()
+		{
+			$user = e107::getUser();
+			$user->login("e107", "DefinitelyTheWrongPassword");
 
-
-
+			$this->assertFalse($user->isUser());
+			$this->assertEmpty($user->getData());
+		}
 	}