function user_login_final_validate

1 user.module user_login_final_validate($form, &$form_state)

The final validation handler on the login form.

Sets a form error if user has not been authenticated, or if too many logins have been attempted. This validation function should always be the last one.

1 string reference to 'user_login_final_validate'

user_login_default_validators in core/modules/user/user.module: Set up a series for validators which check for blocked users, then authenticate against local database, then return an error if authentication fails. Distributed authentication modules are welcome to use hook_form_alter() to change this series in…

File

core/modules/user/user.module, line 2219: Enables the user registration and login system.

Code

function user_login_final_validate($form, &$form_state) {
  $flood_config = config('user.flood');
  if (empty($form_state['uid'])) {
    // Always register an IP-based failed login event.
    flood_register_event('failed_login_attempt_ip', $flood_config->get('flood_ip_window'));
    // Register a per-user failed login event.
    if (isset($form_state['flood_control_user_identifier'])) {
      flood_register_event('failed_login_attempt_user', $flood_config->get('flood_user_window'), $form_state['flood_control_user_identifier']);
    }

    if (isset($form_state['flood_control_triggered'])) {
      if ($form_state['flood_control_triggered'] == 'user') {
        form_set_error('name', format_plural($flood_config->get('flood_user_limit'), 'Sorry, there has been more than one failed login attempt for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', 'Sorry, there have been more than @count failed login attempts for this account. It is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
        module_invoke_all('user_flood_control', ip_address(), $form_state['values']['name']);
      }
      else {
        // We did not find a uid, so the limit is IP-based.
        form_set_error('name', t('Sorry, too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href="@url">request a new password</a>.', array('@url' => url('user/password'))));
        module_invoke_all('user_flood_control', ip_address());
      }
      // We cannot call backdrop_access_denied() here, as that can result in an
      // infinite loop if the login form is rendered on the 403 page (e.g. in a
      // block). So add the 403 header, and allow form processing to finish.
      backdrop_add_http_header('Status', '403 Forbidden');
    }
    elseif (empty($form_state['account_found'])) {
      $login_method = config_get('system.core', 'user_login_method');
      if ((valid_email_address($form_state['values']['name']) && $login_method === USER_LOGIN_USERNAME_OR_EMAIL) || $login_method === USER_LOGIN_EMAIL_ONLY) {
        form_set_error('name', t('Sorry, no account with that email address found.'));
      }
      else {
        form_set_error('name', t('Sorry, unrecognized username.'));
      }
      watchdog('user', 'The user account or email %name could not be found.', array('%name' => $form_state['values']['name']), WATCHDOG_WARNING);
    }
    else {
      form_set_error('pass', t('Sorry, incorrect password. <a href="@password">Have you forgotten your password?</a>', array('@password' => url('user/password', array('query' => array('name' => $form_state['values']['name']))))));
      watchdog('user', 'Login attempt failed for %user.', array('%user' => $form_state['values']['name']), WATCHDOG_WARNING);
    }
  }
  elseif (isset($form_state['flood_control_user_identifier'])) {
    // Clear past failures for this user so as not to block a user who might
    // log in and out more than once in an hour.
    flood_clear_event('failed_login_attempt_user', $form_state['flood_control_user_identifier']);
  }
}