se/SE/se-lib/User.php

<?php

Lib::loadClass('UserProfile');
Lib::loadClass('Router');
Lib::loadClass('DebugExecutionTime');
Lib::loadClass('UserStorageFactory');

class User {

	public static function getLogin() {
		return V::get('ADM_ACCOUNT', '', $_SESSION);
	}

	public static function getName() {
		return V::get('ADM_ACCOUNT', '', $_SESSION);
	}

	public static function getID() {
		if (V::get('ADM_ID', 0, $_SESSION, 'int') <= 0) {
			self::_fetchMoreUserData();
		}
		return V::get('ADM_ID', '', $_SESSION);
	}

	public static function getType() {
		if (empty($_SESSION['EMPLOYEE_TYPE'])) {
			self::_fetchMoreUserData();
		}
		return V::get('EMPLOYEE_TYPE', '', $_SESSION);
	}

	public static function getFullName() {
		return V::get('ADM_NAME', '', $_SESSION);
	}

	public static function getInicjaly() {
		if (!array_key_exists('ADM_INICJALY_HANDLOWCA', $_SESSION)) {
			self::_fetchMoreUserData();
		}
		return $_SESSION['ADM_INICJALY_HANDLOWCA'];
	}

	public static function getDefaultAclGroup() {
		if (!array_key_exists('DEFAULT_ACL_GROUP', $_SESSION)) {
			self::_fetchMoreUserData();
		}
		return $_SESSION['DEFAULT_ACL_GROUP'];
	}

	public static function _fetchMoreUserData() {
		$login = self::getLogin();
		if (empty($login)) return false;
		$sql = "
			select u.ID as ADM_ID
				, u.INICJALY_HANDLOWCA as ADM_INICJALY_HANDLOWCA
				, u.EMPLOYEE_TYPE
				, u.DEFAULT_ACL_GROUP
			from `ADMIN_USERS` u
			where `ADM_ACCOUNT`='{$login}'
		";
		if ($userInfo = DB::getPDO()->fetchFirstNoLog($sql)) {
			$_SESSION['ADM_ID'] = $userInfo['ADM_ID'];
			$_SESSION['ADM_INICJALY_HANDLOWCA'] = $userInfo['ADM_INICJALY_HANDLOWCA'];
			$_SESSION['EMPLOYEE_TYPE'] = $userInfo['EMPLOYEE_TYPE'];
			$_SESSION['DEFAULT_ACL_GROUP'] = $userInfo['DEFAULT_ACL_GROUP'];
			return $userInfo;
		}
		return [];
	}

	public static function logged() {
		return (!empty($_SESSION['AUTHORIZE_USER']))? true : false;
	}

	public static function get( $key ) {
		return V::get($key, '', $_SESSION);
	}

	public static function getGroups() {
		$groups = User::_fetchGroups();
		return $groups;
	}

	public static function getGroupsIds() {
		$groups = User::_fetchGroups();
		return array_keys($groups);
	}

	public static function _fetchGroups() {
		static $_groups;
		if (!$_groups) {
			$user_id = User::getID();
			Lib::loadClass('UsersHelper');
			$_groups = UsersHelper::getGroupByUser($user_id);
		}
		return $_groups;
	}

	public static function loadProfile($force = false) {
		return UserProfile::load($force);
	}

	public static function saveProfile() {
		return UserProfile::save();
	}

	public static function getProfile($key) {
		return UserProfile::get($key);
	}

	public static function setProfile($key, $val) {
		UserProfile::set($key, $val);
	}

	public static function getProfileColumn($column_name, $key) {
		return UserProfile::getColumn($column_name, $key);
	}

	public static function setProfileColumn($column_name, $key, $value) {
		UserProfile::setColumn($column_name, $key, $value);
	}

	public static function removeProfileColumn($column_name, $key) {
		UserProfile::removeColumn($column_name, $key);
	}

	public static function isAdmin() {
		if (in_array(self::get('ADM_ADMIN_LEVEL'), array(0, 1))) {
			return true;
		}
		return false;
	}

	public static function getRawData() {
		$ret = array();
		if (self::logged()) {
			$ret['id'] = self::getID();
			$ret['login'] = self::getName();
			$ret['name'] = self::get('ADM_NAME');
			$ret['admin_level'] = self::get('ADM_ADMIN_LEVEL');
			$ret['opis'] = self::get('ADM_ADMIN_DESC');
		}
		return $ret;
	}

	public static function getCurrentUserObject() {
		$user = new stdClass();
		if (self::logged()) {
			$user->ID = $_SESSION['ADM_ID'];
			$user->ADM_ACCOUNT = $_SESSION['AUTHORIZE_USER'];
			$user->ADM_ACCOUNT = $_SESSION['ADM_ACCOUNT'];
			$user->ADM_NAME = $_SESSION['ADM_NAME'];
			$user->ADM_TECH_WORKER = $_SESSION['ADM_TECH_WORKER'];
			$user->ADM_COMPANY = $_SESSION['ADM_COMPANY'];
			$user->ADM_ADMIN_LEVEL = $_SESSION['ADM_ADMIN_LEVEL'];
			$user->ADM_PHONE = $_SESSION['ADM_PHONE'];
			$user->ADM_ADMIN_EXPIRE = $_SESSION['ADM_ADMIN_EXPIRE'];
			$user->ADM_ADMIN_DESC = $_SESSION['ADM_ADMIN_DESC'];
			$user->EMPLOYEE_TYPE = $_SESSION['EMPLOYEE_TYPE'];
		}
		return $user;
	}

	public static function getAcl($acl = null) {
		static $_acl;
		if ($_acl) return $_acl;
		if (null !== $acl) {// force set acl
			$_acl = $acl;
			return $_acl;
		}
		Lib::loadClass('UserAcl');
		$_acl = new UserAcl(self::getID(), $use_cache = true);
		$_acl->fetchGroups();
		return $_acl;
	}

	public static function reloadAcl() {
		IF('123'==V::get('DBG_ACL','',$_GET)){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">SESSION KEYS (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): [';echo implode(',', array_keys($_SESSION));echo']</pre>';}
		/*
		 * [3] => USER_PROFILE
		 * [29] => CRM_PROCES_USERA_WYKONANE_TESTY-4517
		 * [30] => TableAjax_Cache
		 */
		IF('123'==V::get('DBG_ACL','',$_GET)){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">CONFIG (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r($_SESSION['CONFIG']);echo'</pre>';}
		IF('123'==V::get('DBG_ACL','',$_GET)){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">TableAjax_Cache (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r($_SESSION['TableAjax_Cache']);echo'</pre>';}
		unset($_SESSION['TableAcl_cache']);
		unset($_SESSION['Typespecial_Cache']);
		unset($_SESSION['ADM_INICJALY_HANDLOWCA']);
		unset($_SESSION['EMPLOYEE_TYPE']);
		unset($_SESSION['DEFAULT_ACL_GROUP']);
		IF('123'==V::get('DBG_ACL','',$_GET)){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">SESSION KEYS (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): [';echo implode(',', array_keys($_SESSION));echo']</pre>';}
		$testySesKey = 'CRM_PROCES_USERA_WYKONANE_TESTY-' . User::getID();
		if (isset($_SESSION[$testySesKey])) unset($_SESSION[$testySesKey]);
		$userAcl = User::getAcl();
		$userAcl->fetchAllPerms(true);
	}

	public static function auth() {
		$route = V::get('_route', '', $_REQUEST);
		if (!empty($route)) {
			Router::handleAuth($route);
		} else {
			self::authByRequest();
		}

		if (User::logged() && !V::get('ADM_ACL_LOADED', false, $_SESSION)) {
			$userAcl = User::getAcl();
			$userAcl->fetchAllPerms();
			$_SESSION['ADM_ACL_LOADED'] = true;
		}

		if (User::logged() && User::isAdmin()) {
			if (V::get('DBG_ON', '', $_REQUEST)) {
				DBG::activate();
			}
		}
		if (V::get('DBG_OFF', '', $_REQUEST)) {
			DBG::deactivate();
		}
	}

	public static function authByRequest() {
		$task = V::get('LOGIN', '', $_REQUEST);

		$data = array();
		$data['errors'] = array();
		Lib::loadClass('Config');
		$data['ALLOW_GUEST_ACCOUNT'] = (int)Config::get('ALLOW_GUEST_ACCOUNT');

		switch ($task) {
			case 'LOGIN':
				if (!User::logged()) {
					$req_ADM_ACCOUNT = (isset($_REQUEST['ADM_ACCOUNT']))? $_REQUEST['ADM_ACCOUNT'] : '';
					$req_ADM_PASSWD = (isset($_REQUEST['ADM_PASSWD']))? $_REQUEST['ADM_PASSWD'] : '';
					if (empty($req_ADM_ACCOUNT) || empty($req_ADM_PASSWD)) {
						$data['errors'][] = "Proszę podać poprawny login i hasło!";
					} else {
						try {
							User::login($req_ADM_ACCOUNT, $req_ADM_PASSWD);
						} catch (Exception $e) {
							$data['errors'][] = $e->getMessage();

							session_destroy();
							unset($_SESSION['AUTHORIZE_USER']);
							unset($_SESSION['ADM_ACCOUNT']);

							Router::getRoute('Users')->logoutView($data);
							exit;
						}
					}
				}
				break;

			case 'LOGOUT':
				if (User::logged()) {

					$_SESSION = array();
					session_destroy();// Remove the server-side session information.
					session_write_close();
					session_start();
					session_regenerate_id(true);

					Router::getRoute('Users')->logoutView($data);
					exit;
				}
				break;

			case 'PERMS_RELOAD':
				if (User::logged()) {
					try {
						$dbgExecTime = new DebugExecutionTime();
						$dbgExecTime->activate();
						$dbgExecTime->log('start');

						$routeFixCrmProcesInitIdx = Router::getRoute('FixCrmProcesInitIdx');
						if ($routeFixCrmProcesInitIdx) {
							$routeFixCrmProcesInitIdx->runMethod('callProcedure');
						}

						$dbgExecTime->log('FixCrmProcesInitIdx::callProcedure');
						$fixAllPermsExecTime = $dbgExecTime->getLastExecTime();

						User::reloadAcl();

						$dbgExecTime->log('User::reloadAcl');
						$fixUserPermsExecTime = $dbgExecTime->getLastExecTime();

					} catch (Exception $e) {
						$data['errors'][] = $e->getMessage();
					}

					Router::getRoute('Users')->reloadPermsView($data, $fixUserPermsExecTime);
					exit;
				}
				break;

			case 'ANONYMOUS_LOGIN':
				if (!User::logged()) {
					if ($data['ALLOW_GUEST_ACCOUNT'] != 1) {
						$data['errors'][] = "Zablokowane logowaniwe na konto gościa!";
					}
					else {
						$anonim = User::getAnonymousAccount();
						if (!$anonim) {
							$data['errors'][] = "Konto gościa nie istnieje!";
						} else {
							try {
								User::login($anonim->ADM_ACCOUNT, $anonim->ADM_PASSWD);
							} catch (Exception $e) {
								$data['errors'][] = $e->getMessage();
							}
						}
					}
				}
				break;

			default:

		}

		if (!User::logged()) {
			Router::getRoute('Users')->loginView($data);
			exit;
		}
	}

	public static function kandydatLogin($kandydatId, &$errors = array()) {
		$user = self::kandydatLoginByDB($kandydatId, $errors);
		if ($user) {
			$_SESSION['ADM_ID'] = $user->ID;
			$_SESSION['AUTHORIZE_USER'] = $user->ADM_ACCOUNT;
			$_SESSION['ADM_ACCOUNT'] = $user->ADM_ACCOUNT;
			//$_SESSION['ADM_AREA'] = $user->ADM_AREA;
			$_SESSION['ADM_NAME'] = $user->ADM_NAME;
			$_SESSION['ADM_TECH_WORKER'] = $user->ADM_TECH_WORKER;
			$_SESSION['ADM_COMPANY'] = $user->ADM_COMPANY;
			$_SESSION['ADM_ADMIN_LEVEL'] = $user->ADM_ADMIN_LEVEL;
			$_SESSION['ADM_PHONE'] = $user->ADM_PHONE;
			$_SESSION['ADM_ADMIN_EXPIRE'] = $user->ADM_ADMIN_EXPIRE;
			$_SESSION['ADM_ADMIN_DESC'] = $user->ADM_ADMIN_DESC;
			$_SESSION['EMPLOYEE_TYPE'] = $user->EMPLOYEE_TYPE;

			// save user pass in encrypted form
			Lib::loadClass('Crypt');
			$_SESSION['ADM_PASS_HASH'] = Crypt::encrypt($pass);
			$_SESSION['EMAIL_IMAP_IMPORT_PASSWD_HASH'] = Crypt::encrypt($user->EMAIL_IMAP_IMPORT_PASSWD);
			$_SESSION['EMAIL_IMAP_IMPORT_HOST'] = $user->EMAIL_IMAP_IMPORT_HOST;
			$_SESSION['EMAIL_IMAP_IMPORT_USERNAME'] = $user->EMAIL_IMAP_IMPORT_USERNAME;
			//$keyFromHash = Crypt::decrypt($_SESSION['ADM_PASS_HASH']);

			$userAcl = User::getAcl();
			$userAcl->fetchAllPerms();

			return true;
		}

		return false;
	}

	public static function login($login, $pass) {
		Lib::loadClass('LDAP');
		$ldap = LDAP::getInstance();

		if ($ldap != null && $ldap->isConnected()) {
			$user = self::loginByLDAP($login, $pass);

			if ($user) { // user logged in by ldap - update password hash in db
				DB::getPDO()->update('ADMIN_USERS', 'ID', $user->ID, [
					'ADM_PASSWD_AES' => hash('sha512', $pass), // Mysql: SHA2('{$pass}', 512)
				]);
			}

		} else {
			$user = self::loginByDB($login, $pass);
		}
		if ($user) {
			$_SESSION['ADM_ID'] = $user->ID;
			$_SESSION['AUTHORIZE_USER'] = $user->ADM_ACCOUNT;
			$_SESSION['ADM_ACCOUNT'] = $user->ADM_ACCOUNT;
			//$_SESSION['ADM_AREA'] = $user->ADM_AREA;
			$_SESSION['ADM_NAME'] = $user->ADM_NAME;
			$_SESSION['ADM_TECH_WORKER'] = $user->ADM_TECH_WORKER;
			$_SESSION['ADM_COMPANY'] = $user->ADM_COMPANY;
			$_SESSION['ADM_ADMIN_LEVEL'] = $user->ADM_ADMIN_LEVEL;
			$_SESSION['ADM_PHONE'] = $user->ADM_PHONE;
			$_SESSION['ADM_ADMIN_EXPIRE'] = $user->ADM_ADMIN_EXPIRE;
			$_SESSION['ADM_ADMIN_DESC'] = $user->ADM_ADMIN_DESC;
			$_SESSION['EMPLOYEE_TYPE'] = $user->EMPLOYEE_TYPE;

			// save user pass in encrypted form
			Lib::loadClass('Crypt');
			$_SESSION['ADM_PASS_HASH'] = Crypt::encrypt($pass);
			$_SESSION['EMAIL_IMAP_IMPORT_PASSWD_HASH'] = Crypt::encrypt($user->EMAIL_IMAP_IMPORT_PASSWD);
			$_SESSION['EMAIL_IMAP_IMPORT_HOST'] = $user->EMAIL_IMAP_IMPORT_HOST;
			$_SESSION['EMAIL_IMAP_IMPORT_USERNAME'] = $user->EMAIL_IMAP_IMPORT_USERNAME;
			//$keyFromHash = Crypt::decrypt($_SESSION['ADM_PASS_HASH']);

			$userAcl = User::getAcl();
			$userAcl->fetchAllPerms();
			$_SESSION['ADM_ACL_LOADED'] = true;

			return true;
		}

		return false;
	}

	public static function loginByLDAP($login, $pass) {
		$ldapUser = array();

		$DBG = false;

		Lib::loadClass('LDAP');
		$ldap = LDAP::getInstance();

		if (!$ldap->isConnected()) {
			throw new Exception("Wystąpiły błędy podczas połączenia do bazy LDAP. Spróbuj ponownie za chwilę.");
		}

		$filter = (false !== strpos($login, '@'))? "(mail={$login})" : "(uid={$login})";
		//$filter = "cn=*";// show all ldap accounts
		$justthese = array();//array("uid", "givenName", "mail", "*");
		if($DBG){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">ldap_search (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r(array('ldaprdn'=>$ldap->getBaseDN(), 'filter'=>$filter, 'justthese'=>$justthese));echo'</pre>';}
		$res = $ldap->search($filter, 'cn=users', $justthese);
		if ($ldap->count_entries($res) > 0) {
			$entry = $ldap->first_entry($res);
			if ($entry) {
				$ldapUser['user_dn'] = $ldap->get_dn($entry);

				$val = $ldap->get_values($entry, 'uid');
				$ldapUser['uid'] = $val[0];
				$val = $ldap->get_values($entry, 'mail');
				$ldapUser['mail'] = $val[0];
				$val = $ldap->get_values($entry, 'cn');
				$ldapUser['cn'] = $val[0];
			} else {
				throw new Exception("Login nie istnieje");
			}
			if($DBG){// test
				echo'<pre style="overflow:auto;border:1px solid green;">';
				// print number of entries found
				echo "Number of entries found: " . $ldap->count_entries($res) . "\n";
				while ( $entry ) {
					$dn = $ldap->get_dn($entry);
					echo "<b>$dn</b>\n";
					$attrs = $ldap->get_attributes($entry);
					for ( $i=0; $i < $attrs['count']; $i++) {
						echo "$attrs[$i]: ";
						for ( $j=0; $j < $attrs[$attrs[$i]]['count']; $j++ ) {
							echo $attrs[$attrs[$i]][$j] . " ";
						}
						echo "\n";
					}
					echo "\n";
					$entry = $ldap->next_entry($entry);
				}
				$ldap->free_result($res);
				echo'</pre>';
			}// test
		}

		if (!$ldapUser['user_dn']) {
			throw new Exception("Proszę podać poprawny login i hasło!");
		}

		if($DBG){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">LDAP user (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r($ldapUser);echo'</pre>';}
		if($DBG){echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">ldap_bind (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r(array('ldaprdn'=>$ldapUser['user_dn'], 'pass'=>'***'));echo'</pre>';}
		$ldapbind = $ldap->bind($ldapUser['user_dn'], $pass, $errorMsg);
		if (!$ldapbind && "Error Binding to LDAP: No additional information is available." === $errorMsg) throw new Exception("Nieprawidłowy login lub hasło");
		if (!$ldapbind) throw new Exception("Wystąpiły błędy podczas próby logowania. {$errorMsg}");

		$user = new stdClass();
		$user->AUTHORIZE_USER = $ldapUser['uid'];
		$user->ADM_ACCOUNT = $ldapUser['uid'];
		$user->ADM_NAME = $ldapUser['cn'];
		$user->OTHER_INFO = $ldapUser['mail'];

		$rawUser = DB::getPDO()->fetchFirst("
			select u.*
			from ADMIN_USERS u
			where u.ADM_ACCOUNT = :login
				and u.A_STATUS in('WAITING', 'NORMAL')
		", [
			':login' => $user->ADM_ACCOUNT,
		]);
		if (!$rawUser) throw new Exception("Wystąpiły błędy podczas próby logowania. Brak użytkownika w bazie danych.");
		$user->ID = $rawUser['ID'];
		$user->ADM_TECH_WORKER = $rawUser['ADM_TECH_WORKER'];
		$user->ADM_COMPANY = $rawUser['ADM_COMPANY'];
		$user->ADM_ADMIN_LEVEL = $rawUser['ADM_ADMIN_LEVEL'];
		$user->ADM_PHONE = $rawUser['ADM_PHONE'];
		$user->ADM_ADMIN_EXPIRE = $rawUser['ADM_ADMIN_EXPIRE'];
		$user->ADM_ADMIN_DESC = $rawUser['ADM_ADMIN_DESC'];
		$user->EMAIL_IMAP_IMPORT_PASSWD = $rawUser['EMAIL_IMAP_IMPORT_PASSWD'];
		$user->EMAIL_IMAP_IMPORT_HOST = $rawUser['EMAIL_IMAP_IMPORT_HOST'];
		$user->EMAIL_IMAP_IMPORT_USERNAME = $rawUser['EMAIL_IMAP_IMPORT_USERNAME'];
		$user->EMPLOYEE_TYPE = $rawUser['EMPLOYEE_TYPE'];
		return $user;
	}

	public static function loginByDB($login, $pass) {
		$rawUser = DB::getPDO()->fetchFirst("
			select u.*
			from ADMIN_USERS u
			where u.ADM_ACCOUNT = :login
				and u.ADM_PASSWD_AES = :pass_hash
				and u.A_STATUS in('WAITING', 'NORMAL')
		", [
			':login' => $login,
			':pass_hash' => hash('sha512', $pass),
		]);
		if (!$rawUser) { // TODO: error log - change password for user
			error_log("TODO: update password hash for user '{$login}'");
			$rawUser = DB::getPDO()->fetchFirst("
				select u.*
				from ADMIN_USERS u
				where u.ADM_ACCOUNT = :login
					and ( u.ADM_PASSWD = :pass or u.ADM_PASSWD = md5( :pass ) )
					and u.ADM_PASSWD != ''
					and u.A_STATUS in('WAITING', 'NORMAL')
			", [
				':login' => $login,
				':pass' => $pass,
			]);
		}
		if (!$rawUser) throw new Exception("Proszę podać poprawny login i hasło!");
		$user = new stdClass();
		$user->ID = $rawUser['ID'];
		$user->ADM_TECH_WORKER = $rawUser['ADM_TECH_WORKER'];
		$user->ADM_COMPANY = $rawUser['ADM_COMPANY'];
		$user->AUTHORIZE_USER = $rawUser['ADM_ACCOUNT'];
		$user->ADM_ACCOUNT = $rawUser['ADM_ACCOUNT'];
		$user->ADM_NAME = $rawUser['ADM_NAME'];
		$user->ADM_ADMIN_LEVEL = $rawUser['ADM_ADMIN_LEVEL'];
		$user->ADM_PHONE = $rawUser['ADM_PHONE'];
		$user->ADM_ADMIN_EXPIRE = $rawUser['ADM_ADMIN_EXPIRE'];
		$user->ADM_ADMIN_DESC = $rawUser['ADM_ADMIN_DESC'];
		$user->EMAIL_IMAP_IMPORT_PASSWD = $rawUser['EMAIL_IMAP_IMPORT_PASSWD'];
		$user->EMAIL_IMAP_IMPORT_HOST = $rawUser['EMAIL_IMAP_IMPORT_HOST'];
		$user->EMAIL_IMAP_IMPORT_USERNAME = $rawUser['EMAIL_IMAP_IMPORT_USERNAME'];
		$user->EMPLOYEE_TYPE = $rawUser['EMPLOYEE_TYPE'];
		//$user->ADM_AREA = $rawUser['ADM_AREA'];
		//$_SESSION['ADM_PASSWD'] = $pass;
		return $user;
	}

	public static function kandydatLoginByDB($kandydatId, &$errors) {
		$db = DB::getDB();
		$kandydatId = (int)$kandydatId;
		$sql = "SELECT u.*
			from `ADMIN_USERS` as u
			where
				u.`ID`='{$kandydatId}'
				and u.`A_STATUS` in('WAITING','NORMAL')
			LIMIT 0, 1;
		";
		$res = $db->query($sql);
		if (!$res) {
			die("Error SQL login!");
		}
		$num_rows = $db->num_rows($res);
		if ($num_rows == 0) {
			$errors[] =  "Podales zlego uzytkownika lub/i haslo()";
		}
		else if ($num_rows == 1) {
			if ($r = $db->fetch($res)) {
				$user = new stdClass();
				$user->ID = $r->ID;
				$user->ADM_TECH_WORKER = $r->ADM_TECH_WORKER;
				$user->ADM_COMPANY = $r->ADM_COMPANY;
				$user->AUTHORIZE_USER = $r->ADM_ACCOUNT;
				$user->ADM_ACCOUNT = $r->ADM_ACCOUNT;
				$user->ADM_NAME = $r->ADM_NAME;
				$user->ADM_ADMIN_LEVEL = $r->ADM_ADMIN_LEVEL;
				$user->ADM_PHONE = $r->ADM_PHONE;
				$user->ADM_ADMIN_EXPIRE = $r->ADM_ADMIN_EXPIRE;
				$user->ADM_ADMIN_DESC = $r->ADM_ADMIN_DESC;
				$user->EMAIL_IMAP_IMPORT_PASSWD = $r->EMAIL_IMAP_IMPORT_PASSWD;
				$user->EMAIL_IMAP_IMPORT_HOST = $r->EMAIL_IMAP_IMPORT_HOST;
				$user->EMAIL_IMAP_IMPORT_USERNAME = $r->EMAIL_IMAP_IMPORT_USERNAME;
				$user->EMPLOYEE_TYPE = $r->EMPLOYEE_TYPE;
				//$user->ADM_AREA = "$r->ADM_AREA";
				//$_SESSION['ADM_PASSWD'] = $pass;
				return $user;
			}
		}
		return false;
	}

	public static function changePassword($login, $oldPass, $newPass) {
		if (!is_string($newPass)) throw new Exception("Błąd parametru");
		if (strlen($newPass) < 8) throw new Exception("Hasło zbyt krótkie (min. 8 znaków)"); // TODO regex 1 mala litera, 1 mala litera, 1 cyfra, min. 8 znakow
		if (!self::logged()) throw new Exception("Użytkownik niezalogwany");

		Lib::loadClass('LDAP');
		$ldap = LDAP::getInstance();

		if ($ldap != null && $ldap->isConnected()) {
			return self::changePasswordLDAP($login, $oldPass, $newPass);
		} else {
			return self::changePasswordDB($login, $oldPass, $newPass);
		}
	}

	public static function changePasswordLDAP($login, $oldPass, $newPass) {
		$usrStorageLdap = UserStorageFactory::getStorage('MacOSX');
		if (!$usrStorageLdap) throw new Exception("Error storage Ldap not exists");

		try {
			$user = self::loginByLDAP($login, $oldPass);
		} catch (Exception $e) {
			throw new Exception("Błędne hasło");
		}
		if (!$user) throw new Exception("Błąd weryfikacji użytkownika");

		if (!$usrStorageLdap->changePassword($login, $newPass)) {
			throw new Exception("Błąd podczas zmiany hasła");
		}

		$affected = DB::getPDO()->update('ADMIN_USERS', 'ID', $user->ID, [
			'ADM_PASSWD' => '',
			'ADM_PASSWD_AES' => hash('sha512', $newPass), // Mysql: SHA2('{$pass}', 512)
		]);
		return ($affected > 0);
	}

	public static function changePasswordDB($login, $oldPass, $newPass) {
		try {
			$user = self::loginByDB($login, $oldPass);
		} catch (Exception $e) {
			throw new Exception("Błędne hasło");
		}
		if (!$user) throw new Exception("Błąd weryfikacji użytkownika");

		$affected = DB::getPDO()->update('ADMIN_USERS', 'ID', $user->ID, [
			'ADM_PASSWD' => '',
			'ADM_PASSWD_AES' => hash('sha512', $newPass), // Mysql: SHA2('{$pass}', 512)
		]);
		return ($affected > 0);
	}

	/**
	 * Check user access.
	 * @param string $name
	 *   'menu' - access to view menu
	 *
	 * @from [4101] ADM_ADMIN_LEVEL
	 *   Poziom uprawnień - każdy powinien mieć poziom o numerze 3
	 *   kierownicy powinni mieć 2
	 *   a administratorzy 0
	 *   kandydaci poziom 6.
	 *   Poziom 1 umożliwia edycje procesów i zasobów
	 *   poziom 2 umożliwia ocenę testów
	 *   poziom 3 umożliwia widzenie systemu jakości.
	 */
	public static function hasAccess($name) {
		switch ($name) {
			case 'menu': {
				if (User::get('ADM_ADMIN_LEVEL') < 6) {
					return true;
				}
				else {
					Lib::loadClass('Config');
					$ALLOW_GUEST_ACCOUNT = (int)Config::get('ALLOW_GUEST_ACCOUNT');
					if ($ALLOW_GUEST_ACCOUNT && User::getLogin() == 'anonymous') {
						return true;
					}
				}
				break;
			}
			case 'dbg': {
				return (0 == User::get('ADM_ADMIN_LEVEL'));
				break;
			}
			case 'procesy': {
				if (User::get('ADM_ADMIN_LEVEL') < 4) return true;
				break;
			}
			case 'procesy_admin': {
				if (User::get('ADM_ADMIN_LEVEL') < 2) return true;
				break;
			}
			case 'testy': {
				if (User::get('ADM_ADMIN_LEVEL') <= 6) return true;
				break;
			}
			case 'testy_wyniki': {
				if (User::get('ADM_ADMIN_LEVEL') < 3) return true;
				break;
			}
			case 'testy_wyniki_edit': {
				if (User::get('ADM_ADMIN_LEVEL') < 3) return true;
				break;
			}
			case 'testy_wyniki_read': {
				if (User::get('ADM_ADMIN_LEVEL') < 3) return true;
				break;
			}
			case 'user_add_group': {
				if (User::get('ADM_ADMIN_LEVEL') < 1) return true;
				break;
			}
			default:

		}
		return false;
	}

	public static function hasAccessToEditTable($tableName) {
		if (empty($tableName)) return;
		$userAcl = User::getAcl();
		$userAcl->fetchGroups();
		Lib::loadClass('ProcesHelper');
		$zasobID = ProcesHelper::getZasobTableID($tableName);
		if (!$userAcl->hasTableAcl($zasobID)) {
			return false;
		}
		$tblAcl = $userAcl->getTableAcl($zasobID);
		if (empty($tblAcl)) {
			echo "Brak dostępu do tabeli nr {$zasobID} '{$tableName}'"; return;
			//throw new Exception("Brak dostępu do tabeli nr {$zasobID} '{$tableName}'");
		}
		$tblAcl->init();
		return $tblAcl->hasEditPerms();
	}

	public static function hasGroup($groupName) {
		// TODO: find group by name @see self::getGroups() @used in SchemaReaderProcess
		return false;
	}

	public static function getAnonymousAccount() {
		$db = DB::getDB();
		if (!$db) die("Error DB connection!");
		$sql = "select u.*
			from `ADMIN_USERS` as u
			where
				u.`ADM_ACCOUNT`='anonymous'
				and u.`EMPLOYEE_TYPE`='Anonymous'
				and u.`A_STATUS` in('NORMAL')
			order by u.`ID` asc
			limit 1
		";
		$res = $db->query($sql);
		if (!$res) die("Error SQL login!");

		$num_rows = $db->num_rows($res);
		if ($r = $db->fetch($res)) {
			//$_SESSION['ADM_PASSWD'] = $pass;
			$user = new stdClass();
			$user->ID = "$r->ID";
			$user->AUTHORIZE_USER = "$r->ADM_ACCOUNT";
			$user->ADM_ACCOUNT = "$r->ADM_ACCOUNT";
			$user->ADM_PASSWD = "$r->ADM_PASSWD";
			//$user->ADM_AREA = "$r->ADM_AREA";
			$user->ADM_NAME = "$r->ADM_NAME";
			$user->ADM_TECH_WORKER = "$r->ADM_TECH_WORKER";
			$user->ADM_COMPANY = "$r->ADM_COMPANY";
			$user->ADM_ADMIN_LEVEL = "$r->ADM_ADMIN_LEVEL";
			$user->ADM_PHONE = "$r->ADM_PHONE";
			$user->ADM_ADMIN_EXPIRE = "$r->ADM_ADMIN_EXPIRE";
			$user->ADM_ADMIN_DESC = "$r->ADM_ADMIN_DESC";
			return $user;
		}
		return false;
	}

	public static function getLdapGroups() {
		$ldapGroups = User::_fetchLdapGroups();
		return $ldapGroups;
	}

	public static function getLdapGroupsNames() {
		$ldapGroupsNames = array();
		$ldapGroups = User::_fetchLdapGroups();
		foreach ($ldapGroups as $kID => $vLDAPGroup) {
			$ldapGroupsNames[$kID] = $vLDAPGroup->cn;
		}
		return $ldapGroupsNames;
	}

	public static function getLdapGroupsIds() {
		$ldapGroups = User::_fetchLdapGroups();
		$gidNumbers = array();
		if (!empty($ldapGroups)) {
			foreach ($ldapGroups as $vLdapGroup) {
				$gidNumbers[] = $vLdapGroup->gidNumber;
			}
		}
		return $gidNumbers;
	}

	public static function _fetchLdapGroups() {
		static $_groups;
		if (!$_groups) {
			$login = User::getLogin();
			Lib::loadClass('UsersLdapHelper');
			$_groups = UsersLdapHelper::getUserGroups($login, 3);
			//echo'<pre style="max-height:200px;overflow:auto;border:1px solid red;text-align:left;">getLDAPGroupByUserName (' . __CLASS__ . '::' . __FUNCTION__ . ':' . __LINE__ . '): ';print_r($_groups);echo'</pre>';
		}
		return $_groups;
	}

}