/** * Clear out user and session data when validation fails. Dispatch an event, * set session messages and unset user data before returning the empty * user object. * @param Mage_Admin_Model_User $user * @param Mage_Core_Controller_Request_Http $request * @param Mage_Core_Exception $authException * @return null * @codeCoverageIgnore All side-effects taken from Magento auth/login process */ protected function _failValidation(Mage_Admin_Model_User $user, Mage_Core_Controller_Request_Http $request = null, Mage_Core_Exception $authException) { $logMessage = 'Failed to authenticate using token.'; $this->logger->info($logMessage, $this->context->getMetaData(__CLASS__)); // This may be problematic due to the missing user password. It is never // given while doing the token auth so we don't have one to pass. So far // it doesn't seem to be causing any issues but may have some impact on the // Mage_Enterprise_Pci_Model_Observer::adminAuthenticate method. Mage::dispatchEvent('admin_user_authenticate_after', array('username' => $user->getUsername(), 'password' => '', 'user' => $user, 'result' => false)); Mage::dispatchEvent('admin_session_user_login_failed', array('user_name' => $user->getUsername(), 'exception' => $authException)); if ($request && !$request->getParam('messageSent')) { Mage::getSingleton('adminhtml/session')->addError($authException->getMessage()); $request->setParam('messageSent', true); } $user->unsetData(); $this->_postAuthCheckRedirect(Mage::helper('adminhtml')->getUrl('*')); }