Wow. Maybe the inconsistent indentation and brackets-optional formatting helped the bug both arrive and persist?
Perhaps a preferable practice for security-conscious code would be to only set a success value after all checks have passed, rather than trust intervening logic to reset a default-success value, to an error-value, before return.