From 55882c75cbf38285bc4be37e0c92c6c04ef4e1f2 Mon Sep 17 00:00:00 2001
From: Nick Liu <deltik@gmx.com>
Date: Mon, 24 Aug 2020 23:40:25 -0500
Subject: [PATCH] Do not populate e_user_model as a logged in user if login
 failed

Fixes: #4236
---
 e107_handlers/login.php                    |  6 +++---
 e107_tests/tests/unit/e_user_modelTest.php | 12 ++++++++++--
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/e107_handlers/login.php b/e107_handlers/login.php
index 4c77fc212..b33b7017a 100644
--- a/e107_handlers/login.php
+++ b/e107_handlers/login.php
@@ -342,8 +342,8 @@ class userlogin
 	 * Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE
 	 * @param string $username - as entered
 	 * @param boolean $forceLogin - TRUE if login is being forced from clicking signup link; normally FALSE
-	 * @return TRUE if name exists, and $this->userData array set up
-	 *		   otherwise FALSE
+	 * @return boolean TRUE if name exists, and $this->userData array set up
+	 *		           FALSE otherwise
 	 */
 	protected function lookupUser($username, $forceLogin)
 	{
@@ -540,7 +540,7 @@ class userlogin
 		global $pref, $sql;
 
 		$doCheck = FALSE;			// Flag set if need to ban check
-
+		$this->userData = array();
 
 		switch($reason)
 		{
diff --git a/e107_tests/tests/unit/e_user_modelTest.php b/e107_tests/tests/unit/e_user_modelTest.php
index fba624ced..e613a4fcf 100644
--- a/e107_tests/tests/unit/e_user_modelTest.php
+++ b/e107_tests/tests/unit/e_user_modelTest.php
@@ -377,7 +377,15 @@
 
 		}
 */
+		/**
+		 * @see https://github.com/e107inc/e107/issues/4236
+		 */
+		public function testUserLoginWrongCredentialsNotUser()
+		{
+			$user = e107::getUser();
+			$user->login("e107", "DefinitelyTheWrongPassword");
 
-
-
+			$this->assertFalse($user->isUser());
+			$this->assertEmpty($user->getData());
+		}
 	}