/*
 * #%L
 * Alfresco Repository
 * %%
 * Copyright (C) 2005 - 2016 Alfresco Software Limited
 * %%
 * This file is part of the Alfresco software. 
 * If the software was purchased under a paid Alfresco license, the terms of 
 * the paid license agreement will prevail.  Otherwise, the software is 
 * provided under the following open source license terms:
 * 
 * Alfresco is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * Alfresco is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public License
 * along with Alfresco. If not, see .
 * #L%
 */
package org.alfresco.repo.jscript;
import java.io.Serializable;
import java.text.Collator;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.UserNameGenerator;
import org.alfresco.repo.security.authority.AuthorityDAO;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.repo.security.person.PersonServiceImpl;
import org.alfresco.repo.security.sync.UserRegistrySynchronizer;
import org.alfresco.repo.tenant.TenantDomainMismatchException;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.LimitBy;
import org.alfresco.service.cmr.search.PermissionEvaluationMode;
import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.search.SearchParameters;
import org.alfresco.service.cmr.search.SearchService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.AuthorityType;
import org.alfresco.service.cmr.security.MutableAuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.cmr.security.PersonService.PersonInfo;
import org.alfresco.service.cmr.usage.ContentUsageService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.Pair;
import org.alfresco.util.PropertyMap;
import org.alfresco.util.ScriptPagingDetails;
import org.alfresco.util.ValueDerivingMapFactory;
import org.alfresco.util.ValueDerivingMapFactory.ValueDeriver;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.Scriptable;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.extensions.surf.util.I18NUtil;
import org.springframework.extensions.surf.util.ParameterCheck;
/**
 * Scripted People service for describing and executing actions against People & Groups.
 * 
 * @author davidc
 * @author kevinr
 */
public class People extends BaseScopableProcessorExtension implements InitializingBean
{
    private static Log logger = LogFactory.getLog(People.class);
    
    /** Repository Service Registry */
    private ServiceRegistry services;
    private AuthorityDAO authorityDAO;
    private AuthorityService authorityService;
    private PersonService personService;
    private MutableAuthenticationService authenticationService;
    private ContentUsageService contentUsageService;
    private UserNameGenerator usernameGenerator;
    private UserRegistrySynchronizer userRegistrySynchronizer;
    protected TenantService tenantService;
    
    private StoreRef storeRef;
    private ValueDerivingMapFactory valueDerivingMapFactory;
    private int numRetries = 10;
    
    private int defaultListMaxResults = 5000;
    private boolean honorHintUseCQ = true;
    
    protected static final String HINT_CQ_SUFFIX = " [hint:useCQ]";
    
    public void afterPropertiesSet() throws Exception
    {
        Map > capabilityTesters = new HashMap>(5);
        capabilityTesters.put("isAdmin", new ValueDeriver()
        {
            public Boolean deriveValue(ScriptNode source)
            {
                return isAdmin(source);
            }
        });
        capabilityTesters.put("isGuest", new ValueDeriver()
        {
            public Boolean deriveValue(ScriptNode source)
            {
                return isGuest(source);
            }
        });
        capabilityTesters.put("isMutable", new ValueDeriver()
        {
            public Boolean deriveValue(ScriptNode source)
            {
                // Check whether the account is mutable according to the authentication service
                String sourceUser = (String) source.getProperties().get(ContentModel.PROP_USERNAME);
                if (!authenticationService.isAuthenticationMutable(sourceUser))
                {
                    return false;
                }
                // Only allow non-admin users to mutate their own accounts
                String currentUser = authenticationService.getCurrentUserName();
                if (currentUser.equals(sourceUser) || authorityService.isAdminAuthority(currentUser))
                {
                    return true;
                }
                return false;
            }
        });
        this.valueDerivingMapFactory = new ValueDerivingMapFactory(capabilityTesters);
    }
    
    /**
     * Set the default store reference
     * 
     * @param   storeRef the default store reference
     */
    public void setStoreUrl(String storeRef)
    {
        // ensure this is not set again by a script instance
        if (this.storeRef != null)
        {
            throw new IllegalStateException("Default store URL can only be set once.");
        }
        this.storeRef = new StoreRef(storeRef);
    }    
    /**
     * Sets the authentication service.
     * 
     * @param authenticationService
     *            the authentication service
     */
    public void setAuthenticationService(MutableAuthenticationService authenticationService)
    {
        this.authenticationService = authenticationService;
    }
    /**
     * Set the service registry
     * 
     * @param serviceRegistry   the service registry
     */
    public void setServiceRegistry(ServiceRegistry serviceRegistry)
    {
        this.services = serviceRegistry;
    }
    /**
     * Set the authority DAO
     *
     * @param authorityDAO  authority dao
     */
    public void setAuthorityDAO(AuthorityDAO authorityDAO)
    {
        this.authorityDAO = authorityDAO;
    }
    
    /**
     * Set the authority service
     * 
     * @param authorityService The authorityService to set.
     */
    public void setAuthorityService(AuthorityService authorityService)
    {
        this.authorityService = authorityService;
    }
    
    /**
     * Set the person service
     * 
     * @param personService The personService to set.
     */
    public void setPersonService(PersonService personService)
    {
        this.personService = personService;
    }
    
    /**
     * @param contentUsageService   the ContentUsageService to set
     */
    public void setContentUsageService(ContentUsageService contentUsageService)
    {
        this.contentUsageService = contentUsageService;
    }
    
    /**
     * @param tenantService   the tenantService to set
     */
    public void setTenantService(TenantService tenantService)
    {
        this.tenantService = tenantService;
    }
    
    /**
     * Set the user name generator service
     * 
     * @param userNameGenerator the user name generator 
     */
    public void setUserNameGenerator(UserNameGenerator userNameGenerator)
    {
        this.usernameGenerator = userNameGenerator;
    }
    
    /**
     * Set the UserRegistrySynchronizer
     * 
     * @param userRegistrySynchronizer UserRegistrySynchronizer
     */
    public void setUserRegistrySynchronizer(UserRegistrySynchronizer userRegistrySynchronizer)
    {
        this.userRegistrySynchronizer = userRegistrySynchronizer;
    }
    
    public void setDefaultListMaxResults(int defaultListMaxResults)
    {
        this.defaultListMaxResults = defaultListMaxResults;
    }
    
    /**
     * Allows customers to choose to use Solr or Lucene rather than a canned query in
     * {@link #getPeople(String, int, String, boolean)} when
     * {@code " [hint:useCQ]"} is appended to the search term (currently Share's
     * User Console does this). The down side is that new users may not appear as they
     * will not have been indexed. This is similar to what happened in 4.1.1 prior to
     * MNT-7548 (4.1.2 and 4.1.1.1). The down side of using a canned query at the moment
     * is that there is a bug, so that it is impossible to search for names such as
     * {@code "Carlos Allende GarcĂa"} where the first or last names may contain spaces.
     * See MNT-9719 for more details. The alfresco global property
     * {@code people.search.honor.hint.useCQ} is used to set this value (default is true).
     */
    public void setHonorHintUseCQ(boolean honorHintUseCQ)
    {
        this.honorHintUseCQ = honorHintUseCQ;
    }
    
    /**
     * Delete a Person with the given username
     * 
     * @param username the username of the person to delete
     */
    public void deletePerson(String username)
    {
        personService.deletePerson(username);
    }
    
    /**
     * Create a Person with an optionally generated user name. 
     * This version doesn't notify them.
     * 
     * @param userName userName or null for a generated user name
     * @param firstName firstName
     * @param lastName lastName
     * @param emailAddress emailAddress
     * @param password if not null creates a new authenticator with the given password.
     * @param setAccountEnabled
     *            set to 'true' to create enabled user account, or 'false' to
     *            create disabled user account for created person.
     * @return the person node (type cm:person) created or null if the person
     *         could not be created
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress, String password, boolean setAccountEnabled)
    {
        return createPerson(userName, firstName, lastName, emailAddress, password, setAccountEnabled, false);
    }
    
    /**
     * Create a Person with an optionally generated user name
     * 
     * @param userName userName or null for a generated user name
     * @param firstName firstName
     * @param lastName lastName
     * @param emailAddress emailAddress
     * @param password if not null creates a new authenticator with the given password.
     * @param setAccountEnabled
     *            set to 'true' to create enabled user account, or 'false' to
     *            create disabled user account for created person.
     * @param notifyByEmail
     *            set to 'true' to have the new user emailed to let them know
     *            their account details. Only applies if a username and 
     *            password were supplied.
     * @return the person node (type cm:person) created or null if the person
     *         could not be created
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress, 
            String password, boolean setAccountEnabled, boolean notifyByEmail)
    {
        ParameterCheck.mandatory("firstName", firstName);
        ParameterCheck.mandatory("emailAddress", emailAddress);
        
        ScriptNode person = null;
        
        // generate user name if not supplied
        if (userName == null)
        {
            for (int i=0; i < numRetries; i++)
            {
                userName = usernameGenerator.generateUserName(firstName, lastName, emailAddress, i);
                
                // create person if user name does not already exist
                if (!personService.personExists(userName))
                {
                    break;
                }
            }
        }
        
        if (userName != null)
        {
            try
            {
                userName = PersonServiceImpl.updateUsernameForTenancy(userName, tenantService);
            }
            catch (TenantDomainMismatchException re)
            {
                throw new AuthenticationException("User must belong to same domain as admin: " + re.getTenantA());
            }
            
            person = createPerson(userName, firstName, lastName, emailAddress);
            
            if (person != null && password != null)
            {               
                // create account for person with the userName and password
                authenticationService.createAuthentication(userName, password.toCharArray());
                authenticationService.setAuthenticationEnabled(userName, setAccountEnabled);
                
                person.save();
                
                if(notifyByEmail)
                {
                    personService.notifyPerson(userName, password);
                }
            }
        }
        
        return person;
    }
    /**
     * Enable user account. Can only be called by an Admin authority.
     * 
     * @param userName      user name for which to enable user account
     */
    public void enableAccount(String userName)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.authenticationService.setAuthenticationEnabled(userName, true);
        }
    }
    
    /**
     * Disable user account. Can only be called by an Admin authority.
     * 
     * @param userName      user name for which to disable user account
     */
    public void disableAccount(String userName)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.authenticationService.setAuthenticationEnabled(userName, false);
        }
    }
    
    /**
     * Return true if the specified user account is enabled.
     *  
     * @param userName      user name to test account
     * 
     * @return true if account enabled, false if disabled
     */
    public boolean isAccountEnabled(String userName)
    {
        return this.authenticationService.getAuthenticationEnabled(userName);
    }
    
    /**
     * Change the password for the currently logged in user.
     * Old password must be supplied.
     *  
     * @param oldPassword       Old user password
     * @param newPassword       New user password
     */
    public void changePassword(String oldPassword, String newPassword)
    {
        ParameterCheck.mandatoryString("oldPassword", oldPassword);
        ParameterCheck.mandatoryString("newPassword", newPassword);
        
        this.services.getAuthenticationService().updateAuthentication(
                AuthenticationUtil.getFullyAuthenticatedUser(), oldPassword.toCharArray(), newPassword.toCharArray());
    }
    
    /**
     * Set a password for the given user. Note that only an administrator
     * can perform this action, otherwise it will be ignored.
     * 
     * @param userName          Username to change password for
     * @param password          Password to set
     */
    public void setPassword(String userName, String password)
    {
        ParameterCheck.mandatoryString("userName", userName);
        ParameterCheck.mandatoryString("password", password);
        
        MutableAuthenticationService authService = this.services.getAuthenticationService();
        if (this.authorityService.hasAdminAuthority() && (userName.equalsIgnoreCase(authService.getCurrentUserName()) == false))
        {
            authService.setAuthentication(userName, password.toCharArray());
        }
    }
    /**
     * Create a Person with the given user name
     * 
     * @param userName the user name of the person to create
     * @return the person node (type cm:person) created or null if the user name already exists
     */
    public ScriptNode createPerson(String userName)
    {
        ParameterCheck.mandatoryString("userName", userName);
        
        ScriptNode person = null;
        
        PropertyMap properties = new PropertyMap();
        properties.put(ContentModel.PROP_USERNAME, userName);
        
        if (!personService.personExists(userName))
        {
            NodeRef personRef = personService.createPerson(properties); 
            person = new ScriptNode(personRef, services, getScope()); 
        }
        
        return person;
    }
    
    /**
     * Create a Person with the given user name, firstName, lastName and emailAddress
     * 
     * @param userName the user name of the person to create
     * @return the person node (type cm:person) created or null if the user name already exists
     */
    public ScriptNode createPerson(String userName, String firstName, String lastName, String emailAddress)
    {
        ParameterCheck.mandatoryString("userName", userName);
        ParameterCheck.mandatoryString("firstName", firstName);
        ParameterCheck.mandatoryString("emailAddress", emailAddress);
        
        ScriptNode person = null;
        
        PropertyMap properties = new PropertyMap();
        properties.put(ContentModel.PROP_USERNAME, userName);
        properties.put(ContentModel.PROP_FIRSTNAME, firstName);
        properties.put(ContentModel.PROP_LASTNAME, lastName);
        properties.put(ContentModel.PROP_EMAIL, emailAddress);
        
        if (!personService.personExists(userName))
        {
            NodeRef personRef = personService.createPerson(properties);
            person = new ScriptNode(personRef, services, getScope()); 
        }
        
        return person;
    }
    
    /**
     * Set the content quota in bytes for a person.
     * Only the admin authority can set this value.
     * 
     * @param person    Person to set quota against.
     * @param quota     As a string, in bytes, a value of "-1" means no quota is set
     */
    public void setQuota(ScriptNode person, String quota)
    {
        if (this.authorityService.isAdminAuthority(AuthenticationUtil.getFullyAuthenticatedUser()))
        {
            this.contentUsageService.setUserQuota((String)person.getProperties().get(ContentModel.PROP_USERNAME), Long.parseLong(quota));
        }
    }
    
    /**
     * Get the collection of people stored in the repository.
     * An optional filter query may be provided by which to filter the people collection.
     * Space separate the query terms i.e. "john bob" will find all users who's first or
     * second names contain the strings "john" or "bob".
     * 
     * @param filter filter query string by which to filter the collection of people.
     *          If null
 then all people stored in the repository are returned
     *          
     * @deprecated recated see getPeople(filter, maxResults)
     *          
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter)
    {
        return getPeople(filter, 0);
    }
    
    /**
     * Get the collection of people stored in the repository.
     * An optional filter query may be provided by which to filter the people collection.
     * Space separate the query terms i.e. "john bob" will find all users who's first or
     * second names contain the strings "john" or "bob".
     * 
     * @param filter filter query string by which to filter the collection of people.
     *          If null
 then all people stored in the repository are returned
     * @param maxResults maximum results to return or all if <= 0
     * 
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter, int maxResults)
    {
        return getPeople(filter, maxResults, null, true);
    }
    
    /**
     * Get the collection of people stored in the repository.
     * An optional filter query may be provided by which to filter the people collection.
     * Space separate the query terms i.e. "john bob" will find all users who's first or
     * second names contain the strings "john" or "bob".
     * Method supports sorting by specifying sortBy and sortAsc params.
     * 
     * @param filter filter query string by which to filter the collection of people.
     *          If null
 then all people stored in the repository are returned
     * @param maxResults maximum results to return or all if <= 0
     * @param sortBy field for sorting
     * @param sortAsc sort ascending or not
     * 
     * @return people collection as a JavaScript array
     */
    public Scriptable getPeople(String filter, int maxResults, String sortBy, boolean sortAsc)
    {
        return getPeoplePaging(filter, new ScriptPagingDetails(maxResults, 0), sortBy, Boolean.valueOf(sortAsc));
    }
    
    public Scriptable getPeoplePaging(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        List persons = getPeopleImpl(filter, pagingRequest, sortBy, sortAsc);
        
        Object[] peopleRefs = new Object[persons.size()];
        for (int i = 0; i < peopleRefs.length; i++)
        {
            peopleRefs[i] = persons.get(i).getNodeRef();
        }
        
        return Context.getCurrentContext().newArray(getScope(), peopleRefs);
    }
    
    protected List getPeopleImpl(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        ParameterCheck.mandatory("pagingRequest", pagingRequest);
        
        boolean useCQ = false;
        if (filter != null)
        {
            if (filter.endsWith(HINT_CQ_SUFFIX))
            {
                useCQ = honorHintUseCQ;
                filter = filter.substring(0, filter.length()-HINT_CQ_SUFFIX.length());
            }
        }
        else
        {
            filter = "*";
        }
        
        List persons = null;
        
        int maxResults = pagingRequest.getMaxItems();
        if ((maxResults <= 0) || (maxResults > defaultListMaxResults))
        {
            // remove open-ended query (eg cutoff at default/configurable max, eg. 5000 people)
            maxResults = defaultListMaxResults;
            pagingRequest.setMaxItems(maxResults);
        }
        
        // In order to use a SOLR/Lucene search, we must have a non-empty filter string - see ALF-18876
        if ((filter == null || filter.trim().isEmpty()) || useCQ)
        {
            persons = getPeopleImplDB(filter, pagingRequest, sortBy, sortAsc);
        }
        else
        {
            filter = filter.trim();
            
            String term = filter.replace("\"", "");
            String[] tokens = term.split("(? personRefs = getPeopleImplSearch(term, tokens, pagingRequest, sortBy, sortAsc);
                
                if (personRefs != null)
                {
                    persons = new ArrayList(personRefs.size());
                    for (NodeRef personRef : personRefs)
                    {
                        persons.add(personService.getPerson(personRef));
                    }
                }
            }
            catch (Throwable err)
            {
                if (useCQ)
                {
                    // search unavailable and/or parser exception - try CQ instead
                    // simple non-FTS filter: firstname or lastname or username starting with term (ignoring case)
                    persons = getPeopleImplDB(filter, pagingRequest, sortBy, sortAsc);
                }
            }
        }
        
        return (persons != null ? persons : new ArrayList(0));
    }
    
    // canned query
    protected List getPeopleImplDB(String filter, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc)
    {
        List filterProps = null;
        
        if ((filter != null) && (filter.length() > 0))
        {
            filter = filter.trim();
            if (! filter.equals("*"))
            {
                filter = filter.replace("\\", "").replace("\"", "");
                
                // simple non-FTS filter: firstname or lastname or username starting with term (ignoring case)
                
                filterProps = new ArrayList(3);
                filterProps.add(ContentModel.PROP_FIRSTNAME);
                filterProps.add(ContentModel.PROP_LASTNAME);
                filterProps.add(ContentModel.PROP_USERNAME);
            }
        }
        
        // Build the sorting. The user controls the primary sort, we supply
        // additional ones automatically
        List> sort = new ArrayList>();
        if ("lastName".equals(sortBy))
        {
           sort.add(new Pair(ContentModel.PROP_LASTNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_FIRSTNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_USERNAME, sortAsc));
        }
        else if ("firstName".equals(sortBy))
        {
           sort.add(new Pair(ContentModel.PROP_FIRSTNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_LASTNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_USERNAME, sortAsc));
        }
        else
        {
           sort.add(new Pair(ContentModel.PROP_USERNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_FIRSTNAME, sortAsc));
           sort.add(new Pair(ContentModel.PROP_LASTNAME, sortAsc));
        }
        
        return personService.getPeople(filter, filterProps, sort, pagingRequest).getPage();
    }
    
    // search query
    protected List getPeopleImplSearch(String term, String[] tokens, ScriptPagingDetails pagingRequest, String sortBy, Boolean sortAsc) throws Throwable
    {
        List personRefs = null;
        
        Long start = (logger.isDebugEnabled() ? System.currentTimeMillis() : null);
        
        int propIndex = term.indexOf(':');
        
        int maxResults = pagingRequest.getMaxItems();
        int skipCount = pagingRequest.getSkipCount();
        
        SearchParameters params = new SearchParameters();
        params.addQueryTemplate("_PERSON", "|%firstName OR |%lastName OR |%userName");
        params.setDefaultFieldName("_PERSON");
        params.setExcludeTenantFilter(getExcludeTenantFilter());
        params.setPermissionEvaluation(getPermissionEvaluationMode());
        
        StringBuilder query = new StringBuilder(256);
        
        query.append("TYPE:\"").append(ContentModel.TYPE_PERSON).append("\" AND (");
        
        if (tokens.length == 1)
        {
            // single word with no field will go against _PERSON and expand
            // fts-alfresco property search i.e. location:"maidenhead"
            query.append(term.substring(0, propIndex + 1)).append('"');
            if (propIndex < 0)
            {
                query.append('*');
            }
            query.append(term.substring(propIndex + 1));
            if (propIndex > 0)
            {
                query.append('"');
            }
            else
            {
                query.append("*\"");
            }
        }
        else
        {
            // scan for non-fts-alfresco property search tokens
            int nonFtsTokens = 0;
            for (String token : tokens)
            {
                if (token.indexOf(':') == -1) nonFtsTokens++;
            }
            tokens = term.split("(? 0)
            {
                query.append("firstName:");
                query.append(multiPartNames);
                query.append(" OR lastName:");
                query.append(multiPartNames);
            }
        }
        query.append(")");
       
       // define the search parameters
       params.setLanguage(SearchService.LANGUAGE_FTS_ALFRESCO);
       params.addStore(this.storeRef);
       params.setQuery(query.toString());
       
       if (logger.isDebugEnabled())
       {
           if ((sortBy != null) && (! sortBy.isEmpty()))
           {
               logger.debug("getPeopleImplSearch: ignoring sortBy ("+sortBy+")- not yet supported by model for search");
           }
       }
       
       /* not yet supported (default property index tokenisation mode = true)
       if ("lastName".equals(sortBy))
       {
           params.addSort("@{http://www.alfresco.org/model/content/1.0}lastName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc);
       }
       else if ("firstName".equals(sortBy))
       {
           params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}lastName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc);
       }
       else
       {
           params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}firstName", sortAsc);
           params.addSort("@{http://www.alfresco.org/model/content/1.0}userName", sortAsc);
       }
       */
       
       if (maxResults > 0)
       {
           params.setLimitBy(LimitBy.FINAL_SIZE);
           params.setLimit(maxResults);
       }
       
       if (skipCount > 0)
       {
           params.setSkipCount(skipCount);
       }
       
       ResultSet results = null;
       try
       {
           results = services.getSearchService().query(params);
           
           personRefs = getSortedPeopleObjects(results.getNodeRefs(), sortBy, sortAsc);
           
           if (start != null)
           {
               logger.debug("getPeople: search - "+personRefs.size()+" items (in "+(System.currentTimeMillis()-start)+" msecs)");
           }
       }
       catch (Throwable err)
       {
           if (logger.isDebugEnabled())
           {
               logger.debug("Failed to execute people search: " + query.toString(), err);
           }
           
           throw err;
       }
       finally
       {
           if (results != null)
           {
               results.close();
           }
       }
       
       return personRefs;
    }
    
    private List getSortedPeopleObjects(List peopleRefs, final String sortBy, Boolean sortAsc)
    {
        if (sortBy == null)
        {
            return peopleRefs;
        }
        
        //make copy of peopleRefs because it can be unmodifiable list.
        List sortedPeopleRefs = new ArrayList(peopleRefs);
        final Collator col = Collator.getInstance(I18NUtil.getLocale());
        final NodeService nodeService = services.getNodeService();
        final int orderMultiplicator = ((sortAsc == null) || sortAsc)  ? 1 : -1;
        Collections.sort(sortedPeopleRefs, new Comparator()
        {
            @Override
            public int compare(NodeRef n1, NodeRef n2)
            {
                Serializable  p1 = getProperty(n1);
                Serializable  p2 = getProperty(n2);
                if ((p1 instanceof Long) && (p2 instanceof Long))
                {
                    return Long.compare((Long)p1, (Long)p2) * orderMultiplicator;
                }
                return col.compare(p1.toString(), p2) * orderMultiplicator;
            }
            public Serializable getProperty(NodeRef nodeRef)
            {
                Serializable result;
                if ("fullName".equalsIgnoreCase(sortBy))
                {
                    String firstName = (String)nodeService.getProperty(nodeRef, ContentModel.PROP_FIRSTNAME);
                    String lastName = (String)nodeService.getProperty(nodeRef, ContentModel.PROP_LASTNAME);
                    String fullName = firstName;
                    if (lastName != null && lastName.length() > 0)
                    {
                        fullName = fullName + " " + lastName;
                    }
                    result = fullName;
                }
                else if ("jobtitle".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_JOBTITLE);
                }
                else if ("email".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_EMAIL);
                }
                else if ("usage".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_SIZE_CURRENT);
                }
                else if ("quota".equalsIgnoreCase(sortBy))
                {
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_SIZE_QUOTA);
                }
                else
                {
                    // Default
                    result = nodeService.getProperty(nodeRef, ContentModel.PROP_USERNAME);
                }
                if (result == null)
                {
                    result = "";
                }
                return result;
            }
        });
        
        return sortedPeopleRefs;
    }
    
    /**
     * Gets the Person given the username
     * 
     * @param username  the username of the person to get
     * @return the person node (type cm:person) or null if no such person exists 
     */
    public ScriptNode getPerson(final String username)
    {
    	NodeRef personRef = null;
        ParameterCheck.mandatory("Username", username);
        try
        {
	        personRef = personService.getPersonOrNull(username);
        }
        catch(AccessDeniedException e)
        {
        	// ok, just return null to indicate not found
        }
        return personRef == null ? null : new ScriptNode(personRef, services, getScope());
    }
    
    /**
     * Faster helper when the script just wants to build the Full name for a person.
     * Avoids complete getProperties() retrieval for a cm:person.
     * 
     * @param username  the username of the person to get Full name for
     * @return full name for a person or null if the user does not exist in the system.
     */
    public String getPersonFullName(final String username)
    {
        String name = null;
        ParameterCheck.mandatoryString("Username", username);
        final NodeRef personRef = personService.getPersonOrNull(username);
        if (personRef != null)
        {
            final NodeService nodeService = services.getNodeService();
            final String firstName = (String)nodeService.getProperty(personRef, ContentModel.PROP_FIRSTNAME);
            final String lastName = (String)nodeService.getProperty(personRef, ContentModel.PROP_LASTNAME);
            name = (firstName != null ? firstName + " " : "") + (lastName != null ? lastName : "");
        }
        return name;
    }
    /**
     * Gets the Group given the group name
     * 
     * @param groupName  name of group to get
     * @return  the group node (type usr:authorityContainer) or null if no such group exists
     */
    public ScriptNode getGroup(String groupName)
    {
        ParameterCheck.mandatoryString("GroupName", groupName);
        ScriptNode group = null;
        NodeRef groupRef = authorityDAO.getAuthorityNodeRefOrNull(groupName);
        if (groupRef != null)
        {
            group = new ScriptNode(groupRef, services, getScope());
        }
        return group;
    }
    
    /**
     * Deletes a group from the system.
     * 
     * @param group     The group to delete
     */
    public void deleteGroup(ScriptNode group)
    {
        ParameterCheck.mandatory("Group", group);
        if (group.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String groupName = (String)group.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            authorityService.deleteAuthority(groupName);
        }
    }
    
    /**
     * Create a new root level group with the specified unique name
     * 
     * @param groupName     The unique group name to create - NOTE: do not prefix with "GROUP_"
     * 
     * @return the group reference if successful or null if failed
     */
    public ScriptNode createGroup(String groupName)
    {
        return createGroup(null, groupName);
    }
    
    /**
     * Create a new group with the specified unique name
     * 
     * @param parentGroup   The parent group node - can be null for a root level group
     * @param groupName     The unique group name to create - NOTE: do not prefix with "GROUP_"
     * 
     * @return the group reference if successful or null if failed
     */
    public ScriptNode createGroup(ScriptNode parentGroup, String groupName)
    {
        ParameterCheck.mandatoryString("GroupName", groupName);
        
        ScriptNode group = null;
        
        String actualName = services.getAuthorityService().getName(AuthorityType.GROUP, groupName);
        if (authorityService.authorityExists(actualName) == false)
        {
            String result = authorityService.createAuthority(AuthorityType.GROUP, groupName);
            if (parentGroup != null)
            {
                String parentGroupName = (String)parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
                if (parentGroupName != null)
                {
                    authorityService.addAuthority(parentGroupName, actualName);
                }
            }
            group = getGroup(result);
        }
        
        return group;
    }
    
    /**
     * Add an authority (a user or group) to a group container as a new child
     * 
     * @param parentGroup   The parent container group
     * @param authority     The authority (user or group) to add
     */
    public void addAuthority(ScriptNode parentGroup, ScriptNode authority)
    {
        ParameterCheck.mandatory("Authority", authority);
        ParameterCheck.mandatory("ParentGroup", parentGroup);
        if (parentGroup.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String parentGroupName = (String)parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            String authorityName;
            if (authority.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
            {
                authorityName = (String)authority.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            }
            else
            {
                authorityName = (String)authority.getProperties().get(ContentModel.PROP_USERNAME);
            }
            authorityService.addAuthority(parentGroupName, authorityName);
        }
    }
    
    /**
     * Remove an authority (a user or group) from a group
     * 
     * @param parentGroup   The parent container group
     * @param authority     The authority (user or group) to remove
     */
    public void removeAuthority(ScriptNode parentGroup, ScriptNode authority)
    {
        ParameterCheck.mandatory("Authority", authority);
        ParameterCheck.mandatory("ParentGroup", parentGroup);
        if (parentGroup.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String parentGroupName = (String)parentGroup.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            String authorityName;
            if (authority.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
            {
                authorityName = (String)authority.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            }
            else
            {
                authorityName = (String)authority.getProperties().get(ContentModel.PROP_USERNAME);
            }
            authorityService.removeAuthority(parentGroupName, authorityName);
        }
    }
    
    /**
     * Gets the members (people) of a group (including all sub-groups)
     * 
     * @param group        the group to retrieve members for
     *
     * @return members of the group as a JavaScript array
     */
    public Scriptable getMembers(ScriptNode group)
    {
        ParameterCheck.mandatory("Group", group);
        Object[] members = getContainedAuthorities(group, AuthorityType.USER, true);
        return Context.getCurrentContext().newArray(getScope(), members);
    }
    /**
     * Gets the members (people) of a group
     * 
     * @param group        the group to retrieve members for
     * @param recurse      recurse into sub-groups
     * 
     * @return the members of the group as a JavaScript array
     */
    public Scriptable getMembers(ScriptNode group, boolean recurse)
    {
        ParameterCheck.mandatory("Group", group);
        Object[] members = getContainedAuthorities(group, AuthorityType.USER, recurse);
        return Context.getCurrentContext().newArray(getScope(), members);
    }
    
    /**
     * Gets the groups that contain the specified authority
     * 
     * @param person       the user (cm:person) to get the containing groups for
     * 
     * @return the containing groups as a JavaScript array
     */
    public Scriptable getContainerGroups(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        Object[] parents = null;
        Set authorities = this.authorityService.getContainingAuthoritiesInZone(
                AuthorityType.GROUP,
                (String)person.getProperties().get(ContentModel.PROP_USERNAME),
                AuthorityService.ZONE_APP_DEFAULT, null, 1000);
        parents = new Object[authorities.size()];
        int i = 0;
        for (String authority : authorities)
        {
            ScriptNode group = getGroup(authority);
            if (group != null)
            {
                parents[i++] = group; 
            }
        }
        return Context.getCurrentContext().newArray(getScope(), parents);
    }
    
    /**
     * Return true if the specified user is an Administrator authority.
     * 
     * @param person to test
     * 
     * @return true if an admin, false otherwise
     */
    public boolean isAdmin(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        return this.authorityService.isAdminAuthority((String)person.getProperties().get(ContentModel.PROP_USERNAME));
    }
    /**
     * Return true if the specified user is an guest authority.
     * 
     * @param person to test
     * 
     * @return true if an admin, false otherwise
     */
    public boolean isGuest(ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        return this.authorityService.isGuestAuthority((String) person.getProperties().get(ContentModel.PROP_USERNAME));
    }
    /**
     * Gets a map of capabilities (boolean assertions) for the given person.
     * 
     * @param person
     *            the person
     * @return the capability map
     */
    public Map getCapabilities(final ScriptNode person)
    {
        ParameterCheck.mandatory("Person", person);
        Map retVal = new ScriptableHashMap();
        retVal.putAll(this.valueDerivingMapFactory.getMap(person));
        return retVal;
    }
    
    /**
     * Return a map of the Person properties that are marked as immutable for the given user.
     * This enables a script to interogate which properties are dealt with by an external
     * system such as LDAP and should not be mutable in any client UI.
     * 
     * @param username String
     *
     * @return ScriptableHashMap
     */
    public ScriptableHashMap getImmutableProperties(String username)
    {
        Set props = userRegistrySynchronizer.getPersonMappedProperties(username);
        ScriptableHashMap propMap = new ScriptableHashMap();
        for (QName prop : props)
        {
            propMap.put(prop.toString(), Boolean.TRUE);
        }
        return propMap;
    }
    /**
     * Get Contained Authorities
     * 
     * @param container  authority containers
     * @param type       authority type to filter by
     * @param recurse    recurse into sub-containers
     * 
     * @return contained authorities
     */
    private Object[] getContainedAuthorities(ScriptNode container, AuthorityType type, boolean recurse)
    {
        Object[] members = null;
        
        if (container.getQNameType().equals(ContentModel.TYPE_AUTHORITY_CONTAINER))
        {
            String groupName = (String)container.getProperties().get(ContentModel.PROP_AUTHORITY_NAME);
            Set authorities = authorityService.getContainedAuthorities(type, groupName, !recurse);
            members = new Object[authorities.size()];
            int i = 0;
            for (String authority : authorities)
            {
                AuthorityType authorityType = AuthorityType.getAuthorityType(authority);
                if (authorityType.equals(AuthorityType.GROUP))
                {
                    ScriptNode group = getGroup(authority);
                    if (group != null)
                    {
                        members[i++] = group; 
                    }
                }
                else if (authorityType.equals(AuthorityType.USER))
                {
                    ScriptNode person = getPerson(authority);
                    if (person != null)
                    {
                        members[i++] = person; 
                    }
                }
            }
        }
        
        return members != null ? members : new Object[0];
    }
    
    public boolean getExcludeTenantFilter()
    {
        return false;
    }
    
    public PermissionEvaluationMode getPermissionEvaluationMode()
    {
        return PermissionEvaluationMode.EAGER;
    }
}