BeforeLogin event returns false but user is logged in

Any idea how this might happen?

BeforeLogin returns false as desired.

I also tried setting $event->handled true in that case.

I get my flash error message ("You are not allowed to log in"). But the user is logged in.

Is there anything more I need to do? Where in my login controller/model/view do I ever find out beforeLogin failed ??!!

Looking at the code from web/User I see it returns "isValid"

    protected function beforeLogin($identity, $cookieBased, $duration)


        $event = new UserEvent([

            'identity' => $identity,

            'cookieBased' => $cookieBased,

            'duration' => $duration,


        $this->trigger(self::EVENT_BEFORE_LOGIN, $event);

        return $event->isValid;


So I set $event->isValid = false in my beforeLogin and now it works as expected (user not logged in).

The documentation seems clear. This is not how it should work.

Am I looking for my own problem, or have I found a documentation/bug issue in yi2?