From 63960e2e62c3c140b7efda02f674b44d754fb220 Mon Sep 17 00:00:00 2001
From: Sebastian Grewe <sebastian@grewe.ca>
Date: Fri, 10 Jan 2014 20:04:57 +0100
Subject: [PATCH] [IMPROVED] Allow e-mails only for login

This is a major change in MPOS. Usernames will not be allowed anymore.
This will avoid a lot of brute force issues since usernames are not a
valid login method anymore.

Fixes #1345 once merged.
---
 public/include/classes/user.class.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php
index ada25335..80cc346a 100644
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@@ -116,7 +116,11 @@ class User extends Base {
       $this->setErrorMessage("Invalid username or password.");
       return false;
     }
-    if (filter_var($username, FILTER_VALIDATE_EMAIL)) {
+    if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
+      $this->debug->append("Not an e-mail address, rejecting login", 2);
+      $this->setErrorMessage("Please login with your e-mail address");
+      return false;
+    } else {
       $this->debug->append("Username is an e-mail: $username", 2);
       if (!$username = $this->getUserNameByEmail($username)) {
         $this->setErrorMessage("Invalid username or password.");