From 2a5ba397e61b0c23fcc866bcd088876586ca8a3c Mon Sep 17 00:00:00 2001
From: Damian Mooyman <damian@silverstripe.com>
Date: Mon, 2 May 2016 08:54:19 +1200
Subject: [PATCH] BUG Fix SS_HTTPResponse being cast as string (#5413)

Fixes #5335
---
 security/Security.php | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/security/Security.php b/security/Security.php
index 54e1ffe45..e48ed5db2 100644
--- a/security/Security.php
+++ b/security/Security.php
@@ -275,9 +275,12 @@ class Security extends Controller implements TemplateGlobalProvider {
 			$form = $me->LoginForm();
 			$form->sessionMessage($message, 'warning');
 			Session::set('MemberLoginForm.force_message',1);
-			$formText = $me->login();
+			$loginResponse = $me->login();
+			if($loginResponse instanceof SS_HTTPResponse) {
+				return $loginResponse;
+			}
 
-			$response->setBody($formText);
+			$response->setBody((string)$loginResponse);
 
 			$controller->extend('permissionDenied', $member);
 
@@ -502,7 +505,7 @@ class Security extends Controller implements TemplateGlobalProvider {
 	 * For multiple authenticators, Security_MultiAuthenticatorLogin is used.
 	 * See getTemplatesFor and getIncludeTemplate for how to override template logic
 	 *
-	 * @return string Returns the "login" page as HTML code.
+	 * @return string|SS_HTTPResponse Returns the "login" page as HTML code.
 	 */
 	public function login() {
 		// Check pre-login process