In my Yii 2 App Advanced theme-based app, I have reviewed /frontend/controllers/SiteController controller (site/login route → actionLogin method) and /common/models/User model. And either I am blind or there is no checking, if user that is trying to login has inactive status.
The $user->validatePassword() method is only checking password and the $this->getUser() only checks for username. There is no comparison to self::STATUS_INACTIVE.
I know that this is probably very obvious, but it slips my mind and I am a bit puzzled. Exactly which piece of code is then responsible for displaying “Incorrect username or password” validation error, if I am trying to login with user which exists, but has status = 9?
Which piece of code should I override in order to display “Your account must be verified first” error instead?
// First in controller->actionLogin():
$model = new LoginForm();
if ($model->load(Yii::$app->request->post()) && $model->login()) {
// Then in LoginForm->login() model:
return Yii::$app->user->login($this->getUser()...
// and in ->getUser():
$this->_user = User::findByUsername($this->username);
// And finally in the 'User::findByUsername() is what we are looking for:
return static::findOne(['username' => $username,
'status' => self::STATUS_ACTIVE]);
It is looking for user only in those who are active.
IMO there are few ways but simplest one will be add custom rule to LoginForm model and some logic in controller checking what error it has after it came back with false from login() method.