<?php
/*********************************************************************************
 *
 * TimeTrex is a Workforce Management program developed by
 * TimeTrex Software Inc. Copyright (C) 2003 - 2021 TimeTrex Software Inc.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by
 * the Free Software Foundation with the addition of the following permission
 * added to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED
 * WORK IN WHICH THE COPYRIGHT IS OWNED BY TIMETREX, TIMETREX DISCLAIMS THE
 * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 *
 * You should have received a copy of the GNU Affero General Public License along
 * with this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 *
 * You can contact TimeTrex headquarters at Unit 22 - 2475 Dobbin Rd. Suite
 * #292 West Kelowna, BC V4T 2E9, Canada or at email address info@timetrex.com.
 *
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License
 * version 3, these Appropriate Legal Notices must retain the display of the
 * "Powered by TimeTrex" logo. If the display of the logo is not reasonably
 * feasible for technical reasons, the Appropriate Legal Notices must display
 * the words "Powered by TimeTrex".
 *
 ********************************************************************************/


/**
 * @package API\Users
 */
class APIUser extends APIFactory {
	protected $main_class = 'UserFactory';

	/**
	 * APIUser constructor.
	 */
	public function __construct() {
		parent::__construct(); //Make sure parent constructor is always called.

		return true;
	}

	/**
	 * Get default user data for creating new users.
	 * @param string $tmp_company_id UUID
	 * @return array
	 */
	function getUserDefaultData( $tmp_company_id = null, $default_id = null ) {
		//Allow getting default data from other companies, so it makes it easier to create the first employee of a company.
		if ( $tmp_company_id != '' && TTUUID::isUUID( $tmp_company_id ) && $tmp_company_id != TTUUID::getZeroID() && $tmp_company_id != TTUUID::getNotExistID() && $this->getPermissionObject()->Check( 'company', 'enabled' ) && $this->getPermissionObject()->Check( 'company', 'view' ) ) {
			$company_id = $tmp_company_id;
		} else {
			$company_id = $this->getCurrentCompanyObject()->getId();
		}
		Debug::Text( 'Getting user default data for Company ID: ' . $company_id . ' TMP Company ID: ' . $tmp_company_id, __FILE__, __LINE__, __METHOD__, 10 );

		$uf = TTnew( 'UserFactory' ); /** @var UserFactory $uf */

		//Get New Hire Defaults.
		$udlf = TTnew( 'UserDefaultListFactory' ); /** @var UserDefaultListFactory $udlf */
		if ( $default_id == '' ) {
			$udlf->getByCompanyId( $company_id );
		} else {
			if ( TTUUID::isUUID( $default_id ) ) {
				$udlf->getByIdAndCompanyId( $default_id, $company_id );
			} else {
				$udlf->getByCompanyIdAndName( $company_id, $default_id );
			}
		}
		if ( $udlf->getRecordCount() > 0 ) {
			Debug::Text( 'Using User Defaults, as they exist...', __FILE__, __LINE__, __METHOD__, 10 );
			$udf_obj = $udlf->getCurrent(); /** @var UserDefaultFactory $udf_obj */

			$data = [
					'company_id'                          => $company_id,
					'legal_entity_id'                     => $udf_obj->getLegalEntity(),
					'enable_login'                        => true,
					'status_id'                           => 10, //Active.
					'title_id'                            => $udf_obj->getTitle(),
					'employee_number'                     => $uf->getNextAvailableEmployeeNumber( $company_id ),
					'city'                                => $udf_obj->getCity(),
					'country'                             => $udf_obj->getCountry(),
					'province'                            => $udf_obj->getProvince(),
					'work_phone'                          => $udf_obj->getWorkPhone(),
					'work_phone_ext'                      => $udf_obj->getWorkPhoneExt(),
					'work_email'                          => $udf_obj->getWorkEmail(),
					'hire_date'                           => TTDate::getAPIDate( 'DATE', time() ),
					'sex_id'                              => 5, //Unspecified.
					'default_branch_id'                   => $udf_obj->getDefaultBranch(),
					'default_department_id'               => $udf_obj->getDefaultDepartment(),
					'permission_control_id'               => $udf_obj->getPermissionControl(),
					'terminated_permission_control_id'    => $udf_obj->getTerminatedPermissionControl(),
					'pay_period_schedule_id'              => $udf_obj->getPayPeriodSchedule(),
					'policy_group_id'                     => $udf_obj->getPolicyGroup(),
					'currency_id'                         => $udf_obj->getCurrency(),
					'hierarchy_control'                   => $udf_obj->getHierarchyControl(),
					'recurring_schedule_id'               => $udf_obj->getRecurringSchedule(),
					'user_default_id'                     => $udf_obj->getId(),
			];
		} else {
			Debug::Text( ' User Default data does not exists for Company ID: ' . $company_id .' Trying to determine them automatically...', __FILE__, __LINE__, __METHOD__, 10 );

			$data = [
					'company_id'                          => $company_id,
					'enable_login'                        => true,
					'status_id'                           => 10, //Active.
					'employee_number'                     => $uf->getNextAvailableEmployeeNumber( $company_id ),
					'hire_date'                           => TTDate::getAPIDate( 'DATE', time() ),
					'sex_id'                              => 5, //Unspecified.
			];

			$lelf = TTnew( 'LegalEntityListFactory' );
			$lelf->getByCompanyId( $company_id );
			if ( $lelf->getRecordCount() > 0 ) {
				$data['legal_entity_id'] = $lelf->getCurrent()->getId();
			}
			unset( $lelf );

			$clf = TTnew( 'CurrencyListFactory' );
			$clf->getByCompanyIdAndDefault( $company_id, true );
			if ( $clf->getRecordCount() > 0 ) {
				$data['currency_id'] = $clf->getCurrent()->getId();
			}
			unset( $clf );

			$pclf = TTnew( 'PermissionControlListFactory' );
			$pclf->getByCompanyId( $company_id );
			if ( $pclf->getRecordCount() > 0 ) {
				$data['permission_control_id'] = $pclf->getCurrent()->getId();
			}
			unset( $pclf );
		}

		if ( !isset( $data['company_id'] ) ) {
			$data['company_id'] = $company_id;
		}

		if ( !isset( $data['status_id'] ) ) {
			$data['status_id'] = 10; //Active
		}

		if ( !isset( $data['currency_id'] ) ) {
			$data['currency_id'] = TTUUID::getZeroID();
		}

		if ( !isset( $data['country'] ) ) {
			$data['country'] = 'US';
		}

		if ( !isset( $data['user_default_id'] ) ) {
			$data['user_default_id'] = TTUUID::getZeroID();
		}

		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getHighestEmployeeNumberByCompanyId( $company_id );
		if ( $ulf->getRecordCount() > 0 ) {
			Debug::Text( 'Highest Employee Number: ' . $ulf->getCurrent()->getEmployeeNumber(), __FILE__, __LINE__, __METHOD__, 10 );
			if ( is_numeric( $ulf->getCurrent()->getEmployeeNumber() ) == true ) {
				$data['next_available_employee_number'] = ( $ulf->getCurrent()->getEmployeeNumber() + 1 );
			} else {
				Debug::Text( 'Highest Employee Number is not an integer.', __FILE__, __LINE__, __METHOD__, 10 );
				$data['next_available_employee_number'] = null;
			}
		} else {
			$data['next_available_employee_number'] = 1;
		}

		if ( !isset( $data['hire_date'] ) || $data['hire_date'] == '' ) {
			$data['hire_date'] = TTDate::getAPIDate( 'DATE', time() );
		}

		//Try to default the hierarchy as best we can if its a supervisor (subordinates only) creating the employee record.
		if ( $this->getPermissionObject()->Check( 'user', 'view' ) == false && $this->getPermissionObject()->Check( 'user', 'view_child' ) == true ) {
			$api_hc = new APIHierarchyControl;
			$hierarchy_control_options = $this->stripReturnHandler( $api_hc->getHierarchyControlOptions( false ) ); //Don't include blank.
			if ( is_array( $hierarchy_control_options ) ) {
				foreach ( $hierarchy_control_options as $hierarchy_object_type => $hierarchy_control_ids ) {
					if ( count( $hierarchy_control_ids ) == 1 ) {
						$data['hierarchy_control'][$hierarchy_object_type] = Misc::trimSortPrefix( key( $hierarchy_control_ids ) );
					}
				}
			}
			unset( $api_hc );
		}

		$data = $uf->getCustomFieldsDefaultData( $company_id, $data );

		return $this->returnHandler( $data );
	}

	/**
	 * @param string $format
	 * @param array $data
	 * @param bool $disable_paging
	 * @return array|bool
	 */
	function exportUser( $format = 'csv', $data = null, $disable_paging = true ) {
		$result = $this->stripReturnHandler( $this->getUser( $data, $disable_paging ) );

		return $this->exportRecords( $format, 'export_employee', $result, ( ( isset( $data['filter_columns'] ) ) ? $data['filter_columns'] : null ) );
	}

	/**
	 * Get user data for one or more users.
	 * @param array $data             filter data, see reference for details.
	 * @param boolean $disable_paging disables paging and returns all records.
	 * @return array|bool
	 * @see UserListFactory::getAPISearchByCompanyIdAndArrayCriteria() To see a description of the ListFactory that is used.
	 */
	function getUser( $data = null, $disable_paging = false ) {
		$data = $this->initializeFilterAndPager( $data, $disable_paging );

		if ( $this->getPermissionObject()->checkAuthenticationType( 700 ) == false ) { //700=HTTP Auth with username/password
			return $this->getPermissionObject()->AuthenticationTypeDenied();
		}

		if ( !$this->getPermissionObject()->Check( 'user', 'enabled' )
				|| !( $this->getPermissionObject()->Check( 'user', 'view' ) || $this->getPermissionObject()->Check( 'user', 'view_own' ) || $this->getPermissionObject()->Check( 'user', 'view_child' ) ) ) {
			return $this->getPermissionObject()->PermissionDenied();
		}

		//We need to take into account different permissions, ie: punch->view, view_child, view_own when displaying the dropdown
		//box in the TimeSheet view and other views as well. Allow the caller of this function to pass a "permission_section"
		//that can be used to determine this.
		$permission_section = 'user';
		$valid_permission_sections = [ 'user', 'wage', 'user_contact', 'accrual', 'roe', 'punch', 'schedule', 'recurring_schedule', 'message', 'user_expense', 'pay_stub_amendment', 'policy_group', 'user_membership', 'user_skill', 'user_education', 'user_license', 'user_language', 'user_review', 'job_application' ]; //#2242 - Make sure we limit the sections to a specific list to avoid security bypasses.
		if ( isset( $data['permission_section'] ) && $data['permission_section'] != '' ) {
			if ( in_array( trim( strtolower( $data['permission_section'] ) ), $valid_permission_sections ) ) {
				$permission_section = trim( strtolower( $data['permission_section'] ) );
			} else {
				Debug::Text( 'ERROR: NOT ALLOWED: permission_section: ' . $data['permission_section'], __FILE__, __LINE__, __METHOD__, 10 );
			}
		}
		Debug::Text( 'Permission Section: ' . $permission_section, __FILE__, __LINE__, __METHOD__, 10 );

		//Get Permission Hierarchy Children first, as this can be used for viewing, or editing.
		//$data['filter_data']['permission_children_ids'] = $this->getPermissionObject()->getPermissionChildren( $permission_section, 'view' );
		$data['filter_data'] = array_merge( (array)$data['filter_data'], $this->getPermissionObject()->getPermissionFilterData( $permission_section, 'view' ) );
		//Debug::Arr($data['filter_data']['permission_children_ids'], 'Permission Section: '. $permission_section .' Child IDs: ', __FILE__, __LINE__, __METHOD__, 10);

		//Allow getting users from other companies, so we can change admin contacts when using the master company.
		//Need to allow -1 to be accepted for Edit Company view to not show any employees in Contact dropdowns when creating a new company.
		//But show the proper employees (for that company) in Contact dropdowns when editing an existing company.
		if ( isset( $data['filter_data']['company_id'] )
				&& !empty( $data['filter_data']['company_id'] )
				&& ( $this->getPermissionObject()->Check( 'company', 'enabled' ) && $this->getPermissionObject()->Check( 'company', 'view' ) ) ) {
			$company_id = $data['filter_data']['company_id'];
		} else {
			$company_id = $this->getCurrentCompanyObject()->getId();
		}

		$include_last_punch_time = ( isset( $data['filter_columns']['max_punch_time_stamp'] ) ) ? true : false;

		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getAPISearchByCompanyIdAndArrayCriteria( $company_id, $data['filter_data'], $data['filter_items_per_page'], $data['filter_page'], null, $data['filter_sort'], $include_last_punch_time );
		Debug::Text( 'Record Count: ' . $ulf->getRecordCount(), __FILE__, __LINE__, __METHOD__, 10 );
		if ( $ulf->getRecordCount() > 0 ) {
			$this->getProgressBarObject()->start( $this->getAPIMessageID(), $ulf->getRecordCount() );

			$this->setPagerObject( $ulf );

			$retarr = [];
			foreach ( $ulf as $u_obj ) {
				$retarr[] = $u_obj->getObjectAsArray( $data['filter_columns'] );

				$this->getProgressBarObject()->set( $this->getAPIMessageID(), $ulf->getCurrentRow() );
			}

			$this->getProgressBarObject()->stop( $this->getAPIMessageID() );

			//Debug::Arr($retarr, 'User Data: ', __FILE__, __LINE__, __METHOD__, 10);

			return $this->returnHandler( $retarr );
		}

		return $this->returnHandler( true ); //No records returned.
	}

	/**
	 * Get only the fields that are common across all records in the search criteria. Used for Mass Editing of records.
	 * @param array $data filter data
	 * @return array
	 */
	function getCommonUserData( $data ) {
		return Misc::arrayIntersectByRow( $this->stripReturnHandler( $this->getUser( $data, true ) ) );
	}

	/**
	 * Validate user data for one or more users.
	 * @param array $data user data
	 * @return array
	 */
	function validateUser( $data ) {
		return $this->setUser( $data, true );
	}

	/**
	 * Set user data for one or more users.
	 * @param array $data user data
	 * @param bool $validate_only
	 * @param bool $ignore_warning
	 * @return array|bool
	 */
	function setUser( $data, $validate_only = false, $ignore_warning = true ) {
		global $authentication;

		$validate_only = (bool)$validate_only;
		$ignore_warning = (bool)$ignore_warning;

		if ( !is_array( $data ) ) {
			return $this->returnHandler( false );
		}

		if ( $this->getPermissionObject()->checkAuthenticationType( 700 ) == false ) { //700=HTTP Auth with username/password
			return $this->getPermissionObject()->AuthenticationTypeDenied();
		}

		//If they have permissions to edit user records other than their own, make sure their status is Active.
		if ( $this->getCurrentUserObject()->getStatus() != 10 && ( $this->getPermissionObject()->Check( 'user', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_child' ) ) ) { //10=Active -- Make sure user record is active as well.
			return $this->getPermissionObject()->PermissionDenied( false, TTi18n::getText( 'Employee status must be Active to modify employees' ) );
		}

		if ( !$this->getPermissionObject()->Check( 'user', 'enabled' )
				|| !( $this->getPermissionObject()->Check( 'user', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_own' ) || $this->getPermissionObject()->Check( 'user', 'edit_child' ) || $this->getPermissionObject()->Check( 'user', 'add' ) ) ) {
			return $this->getPermissionObject()->PermissionDenied();
		}
		if ( $validate_only == true ) {
			Debug::Text( 'Validating Only!', __FILE__, __LINE__, __METHOD__, 10 );
			$permission_children_ids = false;
		} else {
			//Get Permission Hierarchy Children first, as this can be used for viewing, or editing.
			$permission_children_ids = $this->getPermissionChildren();
		}

		[ $data, $total_records ] = $this->convertToMultipleRecords( $data );
		Debug::Text( 'Received data for: ' . $total_records . ' Users', __FILE__, __LINE__, __METHOD__, 10 );
		//Debug::Arr($data, 'Data: ', __FILE__, __LINE__, __METHOD__, 10);

		$validator_stats = [ 'total_records' => $total_records, 'valid_records' => 0 ];
		$validator = $save_result = []; $key = false;
		if ( is_array( $data ) && $total_records > 0 ) {
			$this->getProgressBarObject()->start( $this->getAPIMessageID(), $total_records );

			foreach ( $data as $key => $row ) {
				$transaction_function = function () use ( $row, $validate_only, $ignore_warning, $validator_stats, $validator, $save_result, $key, $total_records, $permission_children_ids ) {
					$primary_validator = new Validator();

					$lf = TTnew( 'UserListFactory' ); /** @var UserListFactory $lf */
					if ( $validate_only == false ) {                  //Only switch into serializable mode when actually saving the record.
						$lf->setTransactionMode( 'REPEATABLE READ' ); //Required to help prevent duplicate simulataneous HTTP requests from causing duplicate user records or duplicate employee number/user_names.
					}
					$lf->StartTransaction();

					//Force Company ID to current company.
					if ( !isset( $row['company_id'] ) || ( isset( $row['company_id'] ) && $row['company_id'] == '' ) || !$this->getPermissionObject()->Check( 'company', 'view' ) ) {
						$row['company_id'] = $this->getCurrentCompanyObject()->getId();
					}

					if ( isset( $row['id'] ) && $row['id'] != '' ) {
						//Modifying existing object.
						//Get user object, so we can only modify just changed data for specific records if needed.
						$lf->getByIdAndCompanyId( $row['id'], $row['company_id'] );
						if ( $lf->getRecordCount() == 1 ) {
							//Object exists, check edit permissions
							//Debug::Text('User ID: '. $row['id'] .' Created By: '. $lf->getCurrent()->getCreatedBy() .' Is Owner: '. (int)$this->getPermissionObject()->isOwner( $lf->getCurrent()->getCreatedBy(), $lf->getCurrent()->getID() ) .' Is Child: '. (int)$this->getPermissionObject()->isChild( $lf->getCurrent()->getId(), $permission_children_ids ), __FILE__, __LINE__, __METHOD__, 10);
							if (
									$validate_only == true
									||
									(
											$this->getPermissionObject()->Check( 'user', 'edit' )
											|| ( $this->getPermissionObject()->Check( 'user', 'edit_own' ) && $this->getPermissionObject()->isOwner( $lf->getCurrent()->getCreatedBy(), $lf->getCurrent()->getID() ) === true )
											|| ( $this->getPermissionObject()->Check( 'user', 'edit_child' ) && $this->getPermissionObject()->isChild( $lf->getCurrent()->getId(), $permission_children_ids ) === true )
									) ) {

								Debug::Text( 'Row Exists, getting current data for ID: ' . $row['id'], __FILE__, __LINE__, __METHOD__, 10 );
								//$row = array_merge( $lf->getCurrent()->getObjectAsArray(), $row );
								$lf = $lf->getCurrent(); //Make the current $lf variable the current object, so we can ignore some fields if needed.
								$row = array_merge( $lf->getObjectAsArray(), $row );
							} else {
								$primary_validator->isTrue( 'permission', false, TTi18n::gettext( 'Edit permission denied' ) );
							}
						} else {
							//Object doesn't exist.
							$primary_validator->isTrue( 'id', false, TTi18n::gettext( 'Edit permission denied, record does not exist' ) );
						}
					} else {
						//Adding new object, check ADD permissions.
						$primary_validator->isTrue( 'permission', $this->getPermissionObject()->Check( 'user', 'add' ), TTi18n::gettext( 'Add permission denied' ) );

						//Because password encryption requires the user_id, we need to get it first when creating a new employee.
						$row['id'] = $lf->getNextInsertId();
					}

					//When doing a mass edit of employees, user name is never specified, so we need to avoid this validation issue.
					//Generate random user name if its validate only and not otherwise specified.
					if ( $validate_only == true && ( !isset( $row['user_name'] ) || $row['user_name'] == '' ) ) {
						$row['user_name'] = 'random' . rand( 10000000, 99999999 );
					}
					//Debug::Arr($row, 'Data: ', __FILE__, __LINE__, __METHOD__, 10);

					$is_valid = $primary_validator->isValid();
					if ( $is_valid == true ) { //Check to see if all permission checks passed before trying to save data.
						Debug::Text( 'Attempting to save data... API Message ID: ' . $this->getAPIMessageID(), __FILE__, __LINE__, __METHOD__, 10 );

						if ( DEMO_MODE == true && $lf->isNew() == false ) { //Allow changing these if DEMO is enabled, but they are adding new records.
							Debug::Text( 'DEMO Mode ENABLED, disable modifying some data...', __FILE__, __LINE__, __METHOD__, 10 );
							unset( $row['permission_control_id'], $row['status_id'], $row['phone_id'], $row['user_name'], $row['password'] );
						}

						if ( $this->getPermissionObject()->Check( 'user', 'edit_advanced' ) == false ) {
							Debug::Text( 'NOT allowing advanced edit...', __FILE__, __LINE__, __METHOD__, 10 );
							//Unset all advanced fields.
							unset(
									$row['user_name'],
									$row['currency_id'],
									$row['employee_number'], //This must always be set
									$row['default_branch_id'],
									$row['default_department_id'],
									$row['group_id'],
									$row['title_id'],
									$row['first_name'],
									$row['middle_name'],
									$row['last_name'],
									$row['city'],
									$row['country'],
									$row['province'],
									$row['hire_date'],
									$row['birth_date'],
									$row['termination_date'],
									$row['sin'],
									$row['note'],
									$row['tags']
							);
						}

						unset( $row['mfa_type_id'] ); //Do not allow changing multifactor settings

						//If the user doesn't have permissions to change the hierarchy_control, unset that data.
						if ( isset( $row['hierarchy_control'] ) && ( $this->getPermissionObject()->Check( 'hierarchy', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_hierarchy' ) ) ) {
							Debug::Text( 'Allowing change of hierarchy...', __FILE__, __LINE__, __METHOD__, 10 );
						} else {
							Debug::Text( 'NOT allowing change of hierarchy...', __FILE__, __LINE__, __METHOD__, 10 );
							unset( $row['hierarchy_control'] );
						}

						//Handle additional permission checks for setPermissionControl().
						if ( isset( $row['permission_control_id'] )
								&& ( $lf->getPermissionLevel() <= $this->getPermissionObject()->getLevel() && ( $this->getPermissionObject()->Check( 'permission', 'edit' ) || $this->getPermissionObject()->Check( 'permission', 'edit_own' ) || $this->getPermissionObject()->Check( 'user', 'edit_permission_group' ) ) ) ) {
							Debug::Text( 'Allowing change of permissions...', __FILE__, __LINE__, __METHOD__, 10 );
						} else {
							Debug::Text( 'NOT allowing change of permissions...', __FILE__, __LINE__, __METHOD__, 10 );
							unset( $row['permission_control_id'] );
						}

						if ( isset( $row['pay_period_schedule_id'] ) && ( $this->getPermissionObject()->Check( 'pay_period_schedule', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_pay_period_schedule' ) ) ) {
							Debug::Text( 'Allowing change of pay period schedule...', __FILE__, __LINE__, __METHOD__, 10 );
						} else {
							Debug::Text( 'NOT allowing change of pay period schedule...', __FILE__, __LINE__, __METHOD__, 10 );
							unset( $row['pay_period_schedule_id'] );
						}

						if ( isset( $row['policy_group_id'] ) && ( $this->getPermissionObject()->Check( 'policy_group', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_policy_group' ) ) ) {
							Debug::Text( 'Allowing change of policy group...', __FILE__, __LINE__, __METHOD__, 10 );
						} else {
							Debug::Text( 'NOT allowing change of policy group...', __FILE__, __LINE__, __METHOD__, 10 );
							unset( $row['policy_group_id'] );
						}

						$lf->setObjectFromArray( $row );

						$lf->Validator->setValidateOnly( $validate_only );

						$is_valid = $lf->isValid( $ignore_warning );

						if ( $validate_only == false && $lf->getIsRequiredCurrentPassword() == true ) {
							$lf->FailTransaction();
							$lf->CommitTransaction();
							$lf->setTransactionMode(); //Back to default isolation level.

							return [ $validator, $validator_stats, $key, false, true ];
						}

						if ( $is_valid == true ) {
							Debug::Text( 'Saving data...', __FILE__, __LINE__, __METHOD__, 10 );
							if ( $validate_only == true ) {
								$save_result[$key] = true;
							} else {
								$save_result[$key] = $lf->Save( true, true );
							}
							$validator_stats['valid_records']++;
						}
					}

					if ( $is_valid == false ) {
						Debug::Text( 'Data is Invalid...', __FILE__, __LINE__, __METHOD__, 10 );

						$lf->FailTransaction(); //Just rollback this single record, continue on to the rest.

						$validator[$key] = $this->setValidationArray( [ $primary_validator, $lf ], ( ( $total_records > 1 && is_object( $lf ) ) ? $lf->getFullName() : null ) );
					} else if ( $validate_only == true ) {
						//Always fail transaction when valididate only is used, as	is saved to different tables immediately.
						$lf->FailTransaction();
					}

					$lf->CommitTransaction();
					$lf->setTransactionMode(); //Back to default isolation level.

					return [ $validator, $validator_stats, $key, $save_result, false ];
				};

				[ $validator, $validator_stats, $key, $save_result, $is_reauthentication_required ] = $this->getMainClassObject()->RetryTransaction( $transaction_function );

				if ( $is_reauthentication_required == true ) {
					return $this->getPermissionObject()->ReauthenticationRequired( $this->getCurrentUserObject() );
				}

				$this->getProgressBarObject()->set( $this->getAPIMessageID(), $key );
			}

			$this->getProgressBarObject()->stop( $this->getAPIMessageID() );

			//One time auth is used to verify single actions that require re-authentication and needs to be removed after used.
			$authentication->reauthenticationActionCompleted();

			return $this->handleRecordValidationResults( $validator, $validator_stats, $key, $save_result ); //Don't Enable System Job Queue status update, as it will trigger the spinner quite often when we rarely run background jobs currently.
		}

		return $this->returnHandler( false );
	}

	/**
	 * Delete one or more users.
	 * @param array $data user data
	 * @return array|bool
	 */
	function deleteUser( $data ) {
		if ( !is_array( $data ) ) {
			$data = [ $data ];
		}

		if ( DEMO_MODE == true ) {
			return $this->returnHandler( true );
		}

		if ( !is_array( $data ) ) {
			return $this->returnHandler( false );
		}

		if ( $this->getPermissionObject()->checkAuthenticationType( 700 ) == false ) { //700=HTTP Auth with username/password
			return $this->getPermissionObject()->AuthenticationTypeDenied();
		}

		if ( !$this->getPermissionObject()->Check( 'user', 'enabled' )
				|| !( $this->getPermissionObject()->Check( 'user', 'delete' ) || $this->getPermissionObject()->Check( 'user', 'delete_own' ) || $this->getPermissionObject()->Check( 'user', 'delete_child' ) ) ) {
			return $this->getPermissionObject()->PermissionDenied();
		}

		//Get Permission Hierarchy Children first, as this can be used for viewing, or editing.
		$permission_children_ids = $this->getPermissionChildren();

		Debug::Text( 'Received data for: ' . count( $data ) . ' Users', __FILE__, __LINE__, __METHOD__, 10 );
		Debug::Arr( $data, 'Data: ', __FILE__, __LINE__, __METHOD__, 10 );

		$total_records = count( $data );
		$validator = $save_result = []; $key = false;
		$validator_stats = [ 'total_records' => $total_records, 'valid_records' => 0 ];
		if ( is_array( $data ) && $total_records > 0 ) {
			$this->getProgressBarObject()->start( $this->getAPIMessageID(), $total_records );

			foreach ( $data as $key => $id ) {
				$primary_validator = new Validator();
				$lf = TTnew( 'UserListFactory' ); /** @var UserListFactory $lf */
				$lf->StartTransaction();
				if ( $id != '' ) {
					if ( $this->getPermissionObject()->Check( 'company', 'view' ) == true ) {
						$lf->getById( $id );//Allow deleting employees in other companies.
					} else {
						$lf->getByIdAndCompanyId( $id, $this->getCurrentCompanyObject()->getId() );
					}
					if ( $lf->getRecordCount() == 1 ) {
						//Object exists, check edit permissions
						//Debug::Text('User ID: '. $user['id'] .' Created By: '. $lf->getCurrent()->getCreatedBy() .' Is Owner: '. (int)$this->getPermissionObject()->isOwner( $lf->getCurrent()->getCreatedBy(), $lf->getCurrent()->getID() ) .' Is Child: '. (int)$this->getPermissionObject()->isChild( $lf->getCurrent()->getId(), $permission_children_ids ), __FILE__, __LINE__, __METHOD__, 10);
						if ( $this->getPermissionObject()->Check( 'user', 'delete' )
								|| ( $this->getPermissionObject()->Check( 'user', 'delete_own' ) && $this->getPermissionObject()->isOwner( $lf->getCurrent()->getCreatedBy(), $lf->getCurrent()->getID() ) === true )
								|| ( $this->getPermissionObject()->Check( 'user', 'delete_child' ) && $this->getPermissionObject()->isChild( $lf->getCurrent()->getId(), $permission_children_ids ) === true ) ) {

							Debug::Text( 'Record Exists, deleting record ID: ' . $id, __FILE__, __LINE__, __METHOD__, 10 );
							$lf = $lf->getCurrent();
						} else {
							$primary_validator->isTrue( 'permission', false, TTi18n::gettext( 'Delete permission denied' ) );
						}
					} else {
						//Object doesn't exist.
						$primary_validator->isTrue( 'id', false, TTi18n::gettext( 'Delete permission denied, record does not exist' ) );
					}
				} else {
					$primary_validator->isTrue( 'id', false, TTi18n::gettext( 'Delete permission denied, record does not exist' ) );
				}

				//Debug::Arr($lf, 'AData: ', __FILE__, __LINE__, __METHOD__, 10);

				$is_valid = $primary_validator->isValid();
				if ( $is_valid == true ) { //Check to see if all permission checks passed before trying to save data.
					Debug::Text( 'Attempting to delete record...', __FILE__, __LINE__, __METHOD__, 10 );
					$lf->setDeleted( true );

					$is_valid = $lf->isValid();
					if ( $is_valid == true ) {
						Debug::Text( 'Record Deleted...', __FILE__, __LINE__, __METHOD__, 10 );
						$save_result[$key] = $lf->Save();
						$validator_stats['valid_records']++;
					}
				}

				if ( $is_valid == false ) {
					Debug::Text( 'Data is Invalid...', __FILE__, __LINE__, __METHOD__, 10 );

					$lf->FailTransaction(); //Just rollback this single record, continue on to the rest.

					$validator[$key] = $this->setValidationArray( [ $primary_validator, $lf ], ( ( $total_records > 1 && is_object( $lf ) ) ? $lf->getFullName() : null ) );
				}

				$lf->CommitTransaction();

				$this->getProgressBarObject()->set( $this->getAPIMessageID(), $key );
			}

			$this->getProgressBarObject()->stop( $this->getAPIMessageID() );

			return $this->handleRecordValidationResults( $validator, $validator_stats, $key, $save_result );
		}

		return $this->returnHandler( false );
	}

	/**
	 * Copy one or more users.
	 * @param array $data user data
	 * @return array
	 */
	function copyUser( $data ) {
		//Can only Copy as New, not just a regular copy, as too much data needs to be changed,
		//such as username, password, employee_number, SIN, first/last name address...
		return $this->returnHandler( false );
	}

	/**
	 * Check if username is unique or not.
	 * @param string $user_name user name
	 * @return array|bool
	 */
	function isUniqueUserName( $user_name ) {
		Debug::Text( 'Checking for unique user name: ' . $user_name, __FILE__, __LINE__, __METHOD__, 10 );

		$uf = TTNew( 'UserFactory' ); /** @var UserFactory $uf */
		$retval = $uf->isUniqueUserName( $user_name );

		return $this->returnHandler( $retval );
	}

	/**
	 * Allows currently logged in user to change their password.
	 * @param string $new_password
	 * @param string $new_password2
	 * @param string $type
	 * @return array|bool
	 */
	function changePassword( $new_password, $new_password2, $type = 'user_name' ) {
		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getByIdAndCompanyId( $this->getCurrentUserObject()->getId(), $this->getCurrentCompanyObject()->getId() );
		if ( $ulf->getRecordCount() == 1 ) {
			$uf = $ulf->getCurrent();

			global $authentication;

			if ( $authentication->isSessionReauthenticated() === false ) {
				return $this->getPermissionObject()->ReauthenticationRequired( $this->getCurrentUserObject() );
			}

			if ( $authentication->getRateLimitObject()->check() == false ) {
				Debug::Text( 'Excessive failed password attempts... Preventing password change from: ' . Misc::getRemoteIPAddress() . ' for up to 15 minutes...', __FILE__, __LINE__, __METHOD__, 10 );
				sleep( 5 ); //Excessive password attempts, sleep longer.

				$uf->Validator->isTrue( 'current_password',
										false,
										TTi18n::gettext( 'Current password is incorrect' ) . ' (z)' );
			} else {
				$uf->setIsRequiredCurrentPassword( false );

				switch ( strtolower( $type ) ) {
					case 'quick_punch':
					case 'quick_punch_id':
					case 'phone_id':
					case 'phone':
						if ( $this->getPermissionObject()->Check( 'user', 'edit_own_phone_password' ) == false ) {
							return $this->getPermissionObject()->PermissionDenied();
						}

						$log_description = TTi18n::getText( 'Password - Quick Punch' );

						if ( $new_password != '' || $new_password2 != '' ) {
							if ( $new_password === $new_password2 ) {
								$uf->setPhonePassword( $new_password );
							} else {
								$uf->Validator->isTrue( 'password',
														false,
														TTi18n::gettext( 'Passwords don\'t match' ) );
							}
						}
						break;
					case 'user_name':
					case 'web':
						if ( $this->getPermissionObject()->Check( 'user', 'edit_own_password' ) == false ) {
							return $this->getPermissionObject()->PermissionDenied();
						}

						if ( $uf->getCompanyObject()->getLDAPAuthenticationType() == 0 ) {
							$log_description = TTi18n::getText( 'Password - Web' );

							if ( $new_password != '' || $new_password2 != '' ) {
								if ( $new_password === $new_password2 ) {
									$uf->setPassword( $new_password );
								} else {
									$uf->Validator->isTrue( 'password',
															false,
															TTi18n::gettext( 'Passwords don\'t match' ) );
								}
							}
						} else {
							Debug::Text( 'LDAP Authentication is enabled, password changing is disabled! ', __FILE__, __LINE__, __METHOD__, 10 );
							$uf->Validator->isTrue( 'current_password',
													false,
													TTi18n::getText( 'Please contact your administrator for instructions on changing your password.' ) . ' (LDAP)' );
						}
						break;
				}
			}

			if ( $uf->isValid() ) {
				//One time auth is used to verify single actions that require re-authentication and needs to be removed after used.
				$authentication->reauthenticationActionCompleted();

				if ( DEMO_MODE == true ) {
					//Return TRUE even in demo mode, but nothing happens.
					return $this->returnHandler( true );
				} else {
					TTLog::addEntry( $this->getCurrentUserObject()->getId(), 20, $log_description, null, $uf->getTable() );

					$authentication->getRateLimitObject()->delete(); //Clear failed password rate limit upon successful login.

					$retval = $uf->Save( false ); //UserID is needed below.

					//Logout all other sessions for this user.
					$authentication = TTNew( 'Authentication' ); /** @var Authentication $authentication */
					$authentication->logoutUser( $uf->getID() );

					return $this->returnHandler( $retval ); //Single valid record
				}
			} else {
				//One time auth is used to verify single actions that require re-authentication and needs to be removed after used.
				$authentication->reauthenticationActionCompleted();
				return $this->returnHandler( false, 'VALIDATION', TTi18n::getText( 'INVALID DATA' ), $uf->Validator->getErrorsArray(), [ 'total_records' => 1, 'valid_records' => 0 ] );
			}
		}

		return $this->returnHandler( false );
	}


	/**
	 * Returns a list of unique provinces that employees are assigned to.
	 * @return array
	 */
	function getUniqueUserProvinces() {
		//Get a unique list of states each employee belongs to
		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getByCompanyId( $this->getCurrentCompanyObject()->getId() );
		$retarr = [];
		if ( $ulf->getRecordCount() > 0 ) {
			foreach ( $ulf as $u_obj ) {
				$retarr[$u_obj->getProvince()] = $u_obj->getProvince();
			}
		} else {
			$retarr = false;
		}

		return $retarr;
	}

	/**
	 * @param $email
	 * @return bool
	 */
	function UnsubscribeEmail( $email ) {
		if ( $email != '' && $this->getPermissionObject()->Check( 'company', 'edit' ) ) {
			return UserFactory::UnsubscribeEmail( $email );
		}

		return false;
	}

	/**
	 * @param string $user_ids UUID
	 * @return bool
	 */
	function sendValidationEmail( $user_ids ) {
		if ( !$this->getPermissionObject()->Check( 'user', 'enabled' )
				|| !( $this->getPermissionObject()->Check( 'user', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_child' ) || $this->getPermissionObject()->Check( 'user', 'add' ) ) ) {
			return $this->getPermissionObject()->PermissionDenied();
		}

		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getByIdAndCompanyId( $user_ids, $this->getCurrentCompanyObject()->getId() );
		if ( $ulf->getRecordCount() == 1 ) {
			$emails_sent = 0;
			foreach ( $ulf as $u_obj ) {
				if ( $u_obj->getWorkEmailIsValid() == false ) {
					$u_obj->sendValidateEmail( 'work' );
					$emails_sent++;
				}

				if ( $u_obj->getHomeEmailIsValid() == false ) {
					$u_obj->sendValidateEmail( 'home' );
					$emails_sent++;
				}
			}

			Debug::Text( 'Users Found: ' . $ulf->getRecordCount() . ' Validation Emails Sent: ' . $emails_sent, __FILE__, __LINE__, __METHOD__, 10 );
			if ( $emails_sent > 0 ) {
				return true;
			}
		}

		Debug::Text( 'ERROR: No users to send validation emails to.', __FILE__, __LINE__, __METHOD__, 10 );

		return false;
	}


	/**
	 * Get user data for one or more users. This is an alias for getUser() that can be overridden by a plugin for getting data on remote servers.
	 * @param array $data             filter data, see reference for details.
	 * @param boolean $disable_paging disables paging and returns all records.
	 * @return array
	 * @see UserListFactory::getAPISearchByCompanyIdAndArrayCriteria() To see a description of the ListFactory that is used.
	 */
	function getCompanyUser( $data = null, $disable_paging = false ) {
		return $this->getUser( $data, $disable_paging );
	}

	/**
	 * @param int $rating Accepted values are -1, 0, 1.
	 * @param bool $message
	 * @return array|bool
	 */
	function setUserFeedbackRating( $rating, $message = false ) {
		$ulf = TTnew( 'UserListFactory' ); /** @var UserListFactory $ulf */
		$ulf->getByIdAndCompanyId( $this->getCurrentUserObject()->getId(), $this->getCurrentCompanyObject()->getId() );
		if ( $ulf->getRecordCount() == 1 ) {
			$u_obj = $ulf->getCurrent();

			if ( $rating != $u_obj->getFeedbackRating() ) {
				$u_obj->setFeedbackRating( $rating );
				if ( $u_obj->isValid() ) {
					$retval = $u_obj->Save( false );
					if ( $retval == true ) {
						//Save in user_setting table as well, so we have other information such as created date.
						UserSettingFactory::setUserSetting( $this->getCurrentUserObject()->getId(), 'feedback_rating', $rating, 20 ); //20=Private

						$ttsc = new TimeTrexSoapClient();
						$ttsc->sendUserFeedback( $rating, $message, $u_obj );

						//Since we are updating the user record, the audit log will contain the rating change.
						//TTLog::addEntry( $u_obj->getId(), 500, TTi18n::getText('Feedback Rating').': '. $rating .' '. TTi18n::getText('Message') .': '. $message, $u_obj->getId(), $u_obj->getTable() );
					}
				}
			} else if ( $message != '' ) {
				$ttsc = new TimeTrexSoapClient();
				$ttsc->sendUserFeedback( $rating, $message, $u_obj );
			}

			return $this->returnHandler( true );
		}

		return $this->returnHandler( false );
	}

	/**
	 * @param $submitted_review Accepted values are 0 or 1.
	 * @return array|bool
	 */
	function setUserFeedbackReview( $submitted_review ) {
		$submitted_review = (int)$submitted_review;

		return $this->returnHandler( UserSettingFactory::setUserSetting( $this->getCurrentUserObject()->getId(), 'feedback_rating_review', $submitted_review, 20 ) ); //20=Private
	}

	/**
	 * @param $employee_id
	 * @return array|bool
	 */
	function deleteImage( $employee_id ) {
		//permissions match setUser()
		if ( !$this->getPermissionObject()->Check( 'user', 'enabled' )
				|| !( $this->getPermissionObject()->Check( 'user', 'edit' ) || $this->getPermissionObject()->Check( 'user', 'edit_own' ) || $this->getPermissionObject()->Check( 'user', 'edit_child' ) || $this->getPermissionObject()->Check( 'user', 'add' ) ) ) {
			return $this->getPermissionObject()->PermissionDenied();
		}

		$result = $this->stripReturnHandler( $this->getUser( [ 'filter_data' => [ 'id' => $employee_id ] ] ) );
		if ( isset( $result[0] ) && count( $result[0] ) > 0 ) {
			$uf = TTnew( 'UserFactory' ); /** @var UserFactory $uf */
			$file_name = $uf->getPhotoFileName( $this->current_company->getId(), $employee_id, false ); //Do not include default image.

			if ( file_exists( $file_name ) ) {
				unlink( $file_name );
				TTLog::addEntry( $employee_id, 30, TTi18n::getText( 'Photo' ), null, $uf->getTable() );
			}
		}

		return $this->returnHandler( true );
	}

	/**
	 * Get the number of pending authorizations, notifications and messages for the current user.
	 * @param array $object_types
	 * @return array
	 */
	function getUserPendingTotals( $object_types = [] ) {
		$totals = [];

		if ( empty( $object_types ) ) {
			$object_types = [ 'notification', 'request', 'message', 'request_authorization', 'timesheet_authorization', 'expense_authorization' ];
		}

		//No permissions required to view own notifications.
		//Unread notifications.
		if ( in_array( 'notification', $object_types ) ) {
			$ndtlf = TTnew( 'NotificationListFactory' );
			$totals['notification'] = (int)$ndtlf->getUnreadCountByUserIdAndCompanyId( $this->getCurrentUserObject()->getId(), $this->getCurrentUserObject()->getCompany() );
		}

		//Unread messages.
		if ( in_array( 'message', $object_types ) && $this->getPermissionObject()->Check( 'message', 'enabled' ) && $this->getPermissionObject()->Check( 'message', 'view_own' ) ) {
			$mclf = TTnew( 'MessageControlListFactory' );
			$totals['message'] = (int)$mclf->getNewMessagesByCompanyIdAndUserId( $this->getCurrentCompanyObject()->getId(), $this->getCurrentUserObject()->getId() );
		}

		//Pending request authorizations.
		if ( in_array( 'request_authorization', $object_types ) && $this->getPermissionObject()->Check( 'request', 'enabled' ) && $this->getPermissionObject()->Check( 'request', 'authorize' ) && ( $this->getPermissionObject()->Check( 'request', 'view_child' ) || $this->getPermissionObject()->Check( 'request', 'view' ) ) ) {
			$rlf = TTnew( 'RequestListFactory' );
			$hllf = TTnew( 'HierarchyLevelListFactory' );
			$type_ids = array_keys( $rlf->getOptions( 'type' ) );
			$hierarchy_level_arr = $hllf->getLevelsAndHierarchyControlIDsByUserIdAndObjectTypeID( $this->getCurrentUserObject()->getId(), $rlf->getHierarchyTypeId( $type_ids ) );
			$totals['request_authorization'] = (int)$rlf->getTotalPendingByCompanyIdAndHierarchyLevelMap( $this->getCurrentCompanyObject()->getId(), [ 'hierarchy_level_map' => $hierarchy_level_arr[1] ?? false, 'authorized' => [ 0 ], 'status_id' => [ 30 ], 'type_id' => $type_ids, 'permission_children_ids' => $this->getPermissionObject()->getPermissionChildren( 'request', 'view' ) ] );
		}

		//Pending timesheet authorizations.
		if ( in_array( 'timesheet_authorization', $object_types ) && $this->getPermissionObject()->Check( 'punch', 'enabled' ) && $this->getPermissionObject()->Check( 'punch', 'verify_time_sheet' ) && ( $this->getPermissionObject()->Check( 'punch', 'view_child' ) || $this->getPermissionObject()->Check( 'punch', 'view' ) ) ) {
			$pptsvlf = TTnew( 'PayPeriodTimeSheetVerifyListFactory' );
			$hllf = TTnew( 'HierarchyLevelListFactory' );
			$hierarchy_level_arr = $hllf->getLevelsAndHierarchyControlIDsByUserIdAndObjectTypeID( $this->getCurrentUserObject()->getId(), 90 );
			$totals['timesheet_authorization'] = (int)$pptsvlf->getTotalPendingByCompanyIdAndHierarchyLevelMap( $this->getCurrentCompanyObject()->getId(), [ 'hierarchy_level_map' => $hierarchy_level_arr[1] ?? false, 'authorized' => [ 0 ], 'permission_children_ids' => $this->getPermissionObject()->getPermissionChildren( 'punch', 'view' ) ] );
		}

		//Pending expense authorizations.
		if ( in_array( 'expense_authorization', $object_types ) && $this->getCurrentCompanyObject()->getProductEdition() >= 25 && $this->getPermissionObject()->Check( 'user_expense', 'enabled' ) && $this->getPermissionObject()->Check( 'user_expense', 'authorize' ) && ( $this->getPermissionObject()->Check( 'user_expense', 'view_child' ) || $this->getPermissionObject()->Check( 'user_expense', 'view' ) ) ) {
			$uelf = TTnew( 'UserExpenseListFactory' );
			$hllf = TTnew( 'HierarchyLevelListFactory' );
			$hierarchy_level_arr = $hllf->getLevelsAndHierarchyControlIDsByUserIdAndObjectTypeID( $this->getCurrentUserObject()->getId(), 200 );
			$totals['expense_authorization'] = (int)$uelf->getTotalPendingByCompanyIdAndHierarchyLevelMap( $this->getCurrentCompanyObject()->getId(), [ 'hierarchy_level_map' => $hierarchy_level_arr[1] ?? false, 'authorized' => [ 0 ], 'status_id' => [ 20 ], 'permission_children_ids' => $this->getPermissionObject()->getPermissionChildren( 'user_expense', 'view' ) ] );
		}

		Debug::Arr( $totals, ' Pending Totals: ', __FILE__, __LINE__, __METHOD__, 10 );
		return $this->returnHandler( $totals );
	}

	/**
	 * Check if MFA is enabled for the current user.
	 * @return array|bool
	 */
	function isMFAEnabled() {
		if ( is_object( $this->getCurrentUserObject() ) === true && $this->getCurrentUserObject()->getMultiFactorType() > 0 ) { //0 = Disabled
			return true;
		}

		return false;
	}

	/**
	 * @param $mfa_type_id
	 * @return array|bool
	 */
	function setMultiFactorSettings( $mfa_type_id ) {
		global $authentication;

		if ( is_object( $this->getCurrentUserObject() ) === false ) {
			return $this->returnHandler( false );
		}

		//When disabling MFA ($mfa_type_id = 0), we need to make sure to use the users current $mfa_type_id and not the one passed in.
		//This means to disable MFA the user has to verify by using the current MFA type.
		if ( $mfa_type_id == 0 ) {
			//Passing null for $force_mfa_type_id will default to the users current MFA type.
			$force_mfa_type_id = null;
		} else {
			$force_mfa_type_id = $mfa_type_id;
		}

		if ( $authentication->isSessionReauthenticated() === false ) {
			return $this->getPermissionObject()->ReauthenticationRequired( $this->getCurrentUserObject(), $force_mfa_type_id );
		}

		$ulf = TTnew( 'UserListFactory' );
		$ulf->getById( $this->getCurrentUserObject()->getId() );
		if ( $ulf->getRecordCount() == 1 ) {
			$u_obj = $ulf->getCurrent(); /** @var UserFactory $u_obj */
			$u_obj->setMultiFactorType( $mfa_type_id );
			if ( $u_obj->isValid() ) {
				$u_obj->Save();

				if ( $mfa_type_id > 0 ) {
					//Multifactor enabled, change user to 'user_name_multi_factor' authentication.
					$new_session_type_id = 810;
				} else {
					//Multifactor disabled, change user to 'user_name' authentication.
					$new_session_type_id = 800;
				}

				$authentication->setType( $new_session_type_id );
				//One time auth is used to verify single actions that require re-authentication and needs to be removed after used.
				$authentication->reauthenticationActionCompleted();

				return $this->returnHandler( true );
			}
		}

		//One time auth is used to verify single actions that require re-authentication and needs to be removed after used.
		$authentication->reauthenticationActionCompleted();
		return $this->returnHandler( false );
	}
}

?>