User.php

<?php

/**
 * Personal info
 * @property $LastName string
 * @property $FirstName string
 * @property $SecondName string
 * @property $FacultyID int
 * @property $FacultyName string
 * @property $FacultyAbbr string
 *
 * Account info
 * @property $ID int
 * @property $Login string
 * @property $EMail string
 * @property $Type string  teacher / student
 * @property $Role string  description
 * @property $RoleMark int
 * @property $IsEnabled bool
 * @property $Code
 * @property $UserAgent
 *
 * Session
 * @property-read $SemesterID int
 * @property-read $last_active int
 * @property-read $LoggedIn bool
 * @property-read $UserHash string
 * @property-read $PasswordHash string
 * @property-read $start_time int
 */
class User implements ArrayAccess
{
    protected static $_instance;
    protected $_session;
    protected $_config;
    protected $_userInfo;
    protected static $_flag;

    /**
     * todo: mark deprecated as singleton is an anti-pattern!
     * @return self class instance (singleton-pattern)
     */
    public static function instance($state = false) {
        self::$_flag = $state;
        if (!isset(self::$_instance)) {
            $config = Kohana::$config->load('account');
            self::$_instance = new self($config);
        }
        return self::$_instance;
    }


    private function __construct($config = array()) {
        $this->_config = $config;
        $this->_session = Session::instance();
        $this->_userInfo['RoleMark'] = (int)1;

        $this->_config['hash_key'] = Model_Account::getHashKey();
        $this->_config['hash_method'] = 'sha256';
        $isSignedIn = $this->isSignedIn();

        if ($isSignedIn) {
            $this->_userInfo = $this->_session->get('UserInfo');

            if (self::$_flag != true) {
                $this->_session->regenerate();
                $this->_session->set('start_time', time());
            }
        }
    }


    const RIGHTS_ANYBODY = 1;
    const RIGHTS_STUDENT = 2;
    const RIGHTS_TEACHER = 4;
    const RIGHTS_ADMIN = 8;
    const RIGHTS_DEAN = 16;

    /**
     * @param $mask
     * @throws LogicException
     */
    public function checkAccess($mask) {
        $goodBoy = $this->RoleMark & $mask;
        if (!$goodBoy) throw new LogicException(Error::ACCESS_DENIED);
    }

    public function isDean() {
        return (bool) ($this->RoleMark & self::RIGHTS_DEAN);
    }

    public function isAdmin() {
        return (bool) ($this->RoleMark & self::RIGHTS_ADMIN);
    }

    public function isTeacher() {
        return (bool) ($this->RoleMark & self::RIGHTS_TEACHER);
    }

    public function isStudent() {
        return (bool) ($this->RoleMark & self::RIGHTS_DEAN);
    }

    public function isAuthorized() {
        return (bool) ($this->RoleMark & ~self::RIGHTS_ANYBODY);
    }

    /**
     * Регистрирует нового пользователя и осуществляет вход.
     * Проверяет корректность кода активации и существование
     * аккаунтов с такими же авторизационными данными.
     *
     * @param string $code   Код активации
     * @param string $email  E-Mail адрес
     * @param string $login
     * @param string $password
     * @return array  Пару вида <tt>(is_ok, err_msg)</tt>
     */
    public function signUp($code, $email, $login, $password) {
        $account = Account::instance();

        $isValid = Model_Account::isActivationCodeValid($code);
        if (!$isValid) {
            return array(false, 'invalid_code');
        }

        $isLogin = $account->doesLoginExist($login);
        $isMail = $account->isMailValid($email);

        if ($isLogin) {
            return array(false, 'login_exists');
        } else {
            if ($isMail) {
                return array(false, 'mail_exists');
            }
        }

        $id = Model_Account::activateAccount($login, $password, $email, $code);
        $this->completeSignIn($id, $this->hash($password));
        return array(true, 'ok');
    }

    /**
     * Проверяет корректность авторизационных данных.
     *
     * @param string $login
     * @param string $password
     * @return bool  true, если авторизация прошла успешно,
     * и false, если данные являются некорректными.
     */
    public function signIn($login, $password) {
        $id = (int)Model_Account::checkAuth($login, $password);
        if ($id === -1) {
            return false;
        } else {
            return $this->completeSignIn($id, $this->hash($password));
        }
    }

    protected function completeSignIn($id, $passHash) {
        $source = $id . Request::$user_agent . Request::$client_ip;
        $userHash = $this->hash($source) . $this->_config['hash_key'];
        $passwordHash = $this->hash($passHash . $this->_config['hash_key']);
        Cookie::set('userhash', $passwordHash);

        $userInfo = Model_Account::getUserInfo($id);

        $this->_session->set('UserInfo', $userInfo);
        $this->_session->regenerate();
        $this->_session->set('ID', $id);
        $this->_session->set('LoggedIn', true);
        $this->_session->set('UserHash', $this->hash($userHash));
        $this->_session->set('PasswordHash', $passwordHash);
        $this->_session->set('start_time', time());
        $this->_session->set('SemesterID', $userInfo['SemesterID']);

        return true;
    }

    /**
     * Проверяет авторизационный статус пользователя и, если
     * пользователь имеет UserAgent и IP, отличные от хранимых
     * в сессии, осуществляет выход из текущего сеанса.
     *
     * @return bool  true, если пользователь авторизован
     */
    public function isSignedIn() {
        $session = &$this->_session;
        if ($session->get('LoggedIn') && !$this->checkHash()) {
            $this->completeSignOut();
        }
        return $this->_session->get('LoggedIn');
    }

    protected function checkHash() {
        $id = $this->_session->get('ID');
        $source = $id . Request::$user_agent . Request::$client_ip;
        $userHash = $this->hash($source) . $this->_config['hash_key'];
        $userCheck = $this->_session->get('UserHash') == $this->hash($userHash);
        $passCheck = Cookie::get('userhash') == $this->_session->get('PasswordHash');
        return $userCheck AND $passCheck;
    }

    /**
     * Завершает текущий сеанс пользователя.
     * @return bool
     */
    public function signOut() {
        if ($this->isSignedIn()) {
            return $this->completeSignOut();
        }
        return false;
    }

    protected function completeSignOut() {
        $this->_session
            ->set('ID', false)
            ->set('LoggedIn', false)
            ->set('UserHash', false);

        Cookie::delete('userhash');
        unset($this->_userInfo);
        $this->_session->restart();
        return true;
    }

    /**
     * Проверяет корректность данного пароля для текущего пользователя.
     *
     * @param string $password
     * @return bool
     */
    public function checkPassword($password) {
        if (!$this->isSignedIn())
            return false;

        $passHash = $this->hash($password);
        $computed = $this->hash($passHash . $this->_config['hash_key']);
        return $computed === $this->_session->get('PasswordHash');
    }

    public function changePassword($old, $new) {
        if (!$this->checkPassword($old))
            return false;

        Model_Account::changeAccountData($this->ID, $new, 'password');
        $passhash = $this->hash($this->hash($new) . $this->_config['hash_key']);
        $this->_session->set('PasswordHash', $passhash);
        Cookie::set('userhash', $passhash);
        return true;
    }

    public function changeLogin($login) {
        if (!$this->isSignedIn() || Account::instance()->doesLoginExist($login))
            return false;

        Model_Account::changeAccountData($this->ID, $login, 'login');
        return true;
    }

    public function changeMail($email) {
        if (!$this->isSignedIn() || Account::instance()->isMailValid($email))
            return false;

        $token = md5(time() . $this->EMail . $email);
        $this->_session->set('NewMail_Token', $token);
        $this->_session->set('NewMail_Adress', $email);
        return $token;
    }

    public function completeChangeMail($token) {
        $email = $this->_session->get('NewMail_Adress');
        if ($token == $this->_session->get('NewMail_Token') AND !Account::instance()->isMailValid($email)) {
            Model_Account::changeAccountData($this->ID, $email, 'email');
            return true;
        } else {
            return false;
        }
    }

    public function changeProfile($data) {
        if ($this->Type == 'teacher') {
            Model_Account::changeTeacherInfo($this['TeacherID'], $data['lastName'], $data['firstName'], $data['secondName'], $data['jobPositionID'], $data['departmentID']);
        }
    }

    /* Info */

    /**
     * Возвращает массив, содержащий пользовательские данные.
     *
     * @return  array
     */
    public function toArray() {
        if ($this->isSignedIn()) {
            return $this->_userInfo + $this->_session->as_array();
            // fixme: nobody knows what _session contains!
        } else {
            return array();
        }
    }


    /* Fields access */

    function __set($name, $value) {
        $this->offsetSet($name, $value);
    }

    function __get($name) {
        return $this->offsetGet($name);
    }

    public function offsetSet($offset, $value) {
        if ($this->_userInfo && array_key_exists($offset, $this->_userInfo)) {
            $this->_userInfo[$offset] = $value;
        } elseif (isset($offset, $this->_session)) {
            $this->_session[$offset] = $value;
        } else { // TODO: _userInfo may be null
            $this->_userInfo[$offset] = $value;
        }
    }

    public function offsetGet($offset) {
        if ($this->_userInfo && array_key_exists($offset, $this->_userInfo))
            return $this->_userInfo[$offset];
        else if (isset($offset, $this->_session))
            return $this->_session[$offset];

        throw new ErrorException('No such field');
    }

    public function offsetUnset($offset) {
        if (array_key_exists($offset, $this->_userInfo))
            unset($this->_userInfo[$offset]);
        else unset($this->_session[$offset]);
    }

    public function offsetExists($offset) {
        return array_key_exists($offset, $this->_userInfo) ||
            isset($this->_session[$offset]);
    }

    /**
     * Perform a hmac hash, using the configured method.
     *
     * @param   string $str string to hash
     * @return  string
     */
    protected function hash($str) {
        if (!$this->_config['hash_key']) {
            $this->_config['hash_key'] = $key = md5(time() . Request::$client_ip);
            Model_Account::setHashKey($key);
        }
        return hash_hmac($this->_config['hash_method'], $str, $this->_config['hash_key']);
    }
}