# The LearningOnline Network with CAPA
# Create a user
#
# $Id: loncreateuser.pm,v 1.100 2005/02/17 08:29:42 albertel Exp $
#
# Copyright Michigan State University Board of Trustees
#
# This file is part of the LearningOnline Network with CAPA (LON-CAPA).
#
# LON-CAPA is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# LON-CAPA is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with LON-CAPA; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
# /home/httpd/html/adm/gpl.txt
#
# http://www.lon-capa.org/
#
###

package Apache::loncreateuser;

=pod

=head1 NAME

Apache::loncreateuser - handler to create users and custom roles

=head1 SYNOPSIS

Apache::loncreateuser provides an Apache handler for creating users,
    editing their login parameters, roles, and removing roles, and
    also creating and assigning custom roles.

=head1 OVERVIEW

=head2 Custom Roles

In LON-CAPA, roles are actually collections of privileges. "Teaching
Assistant", "Course Coordinator", and other such roles are really just
collection of privileges that are useful in many circumstances.

Creating custom roles can be done by the Domain Coordinator through
the Create User functionality. That screen will show all privileges
that can be assigned to users. For a complete list of privileges,
please see C</home/httpd/lonTabs/rolesplain.tab>.

Custom role definitions are stored in the C<roles.db> file of the role
author.

=cut

use strict;
use Apache::Constants qw(:common :http);
use Apache::lonnet;
use Apache::loncommon;
use Apache::lonlocal;

my $loginscript; # piece of javascript used in two separate instances
my $generalrule;
my $authformnop;
my $authformkrb;
my $authformint;
my $authformfsys;
my $authformloc;

sub initialize_authen_forms {
    my ($krbdefdom)=( $ENV{'SERVER_NAME'}=~/(\w+\.\w+)$/);
    $krbdefdom= uc($krbdefdom);
    my %param = ( formname => 'document.cu',
                  kerb_def_dom => $krbdefdom 
                  );
# no longer static due to configurable kerberos defaults
#    $loginscript  = &Apache::loncommon::authform_header(%param);
    $generalrule  = &Apache::loncommon::authform_authorwarning(%param);
    $authformnop  = &Apache::loncommon::authform_nochange(%param);
# no longer static due to configurable kerberos defaults
#    $authformkrb  = &Apache::loncommon::authform_kerberos(%param);
    $authformint  = &Apache::loncommon::authform_internal(%param);
    $authformfsys = &Apache::loncommon::authform_filesystem(%param);
    $authformloc  = &Apache::loncommon::authform_local(%param);
}


# ======================================================= Existing Custom Roles

sub my_custom_roles {
    my %returnhash=();
    my %rolehash=&Apache::lonnet::dump('roles');
    foreach (keys %rolehash) {
	if ($_=~/^rolesdef\_(\w+)$/) {
	    $returnhash{$1}=$1;
	}
    }
    return %returnhash;
}

# ==================================================== Figure out author access

sub authorpriv {
    my ($auname,$audom)=@_;
    if (($auname ne $ENV{'user.name'}) ||
        (($audom ne $ENV{'user.domain'}) &&
         ($audom ne $ENV{'request.role.domain'}))) { return ''; }
    unless (&Apache::lonnet::allowed('cca',$audom)) { return ''; }
    return 1;
}

# =================================================================== Phase one

sub print_username_entry_form {
    my $r=shift;
    my $defdom=$ENV{'request.role.domain'};
    my @domains = &Apache::loncommon::get_domains();
    my $domform = &Apache::loncommon::select_dom_form($defdom,'ccdomain');
    my $html=&Apache::lonxml::xmlbegin();
    my $bodytag =&Apache::loncommon::bodytag('Create Users, Change User Privileges').&Apache::loncommon::help_open_menu('',undef,undef,'',282,'Instructor Interface');
    my $selscript=&Apache::loncommon::studentbrowser_javascript();
    my $sellink=&Apache::loncommon::selectstudent_link
                                        ('crtuser','ccuname','ccdomain');
    my %existingroles=&my_custom_roles();
    my $choice=&Apache::loncommon::select_form('make new role','rolename',
		('make new role' => 'Generate new role ...',%existingroles));
    my %lt=&Apache::lonlocal::texthash(
		    'siur'   => "Set Individual User Roles",
		    'usr'  => "Username",
                    'dom'  => "Domain",
                    'usrr' => "User Roles",
                    'ecrp' => "Edit Custom Role Privileges",
                    'nr'   => "Name of Role",
                    'cre'  => "Custom Role Editor"
				       );
    my $helpsiur=&Apache::loncommon::help_open_topic('Course_Change_Privileges');
    my $helpecpr=&Apache::loncommon::help_open_topic('Course_Editing_Custom_Roles');
    $r->print(<<"ENDDOCUMENT");
$html
<head>
<title>The LearningOnline Network with CAPA</title>
$selscript
</head>
$bodytag
<form action="/adm/createuser" method="post" name="crtuser">
<input type="hidden" name="phase" value="get_user_info">
<h2>$lt{siur}$helpsiur</h2>
<table>
<tr><td>$lt{usr}:</td><td><input type="text" size="15" name="ccuname">
</td><td rowspan="2">$sellink</td></tr><tr><td>
$lt{'dom'}:</td><td>$domform</td></tr>
</table>
<input name="userrole" type="submit" value="$lt{usrr}" />
</form>
<form action="/adm/createuser" method="post" name="docustom">
<input type="hidden" name="phase" value="selected_custom_edit">
<h2>$lt{'ecrp'}$helpecpr</h2>
$lt{'nr'}: $choice <input type="text" size="15" name="newrolename" /><br />
<input name="customeditor" type="submit" value="$lt{'cre'}" />
</body>
</html>
ENDDOCUMENT
}

# =================================================================== Phase two
sub print_user_modification_page {
    my $r=shift;
    my $ccuname=$ENV{'form.ccuname'};
    my $ccdomain=$ENV{'form.ccdomain'};

    $ccuname=~s/\W//g;
    $ccdomain=~s/\W//g;

    unless (($ccuname) && ($ccdomain)) {
	&print_username_entry_form($r);
        return;
    }

    my $defdom=$ENV{'request.role.domain'};

    my ($krbdef,$krbdefdom) =
       &Apache::loncommon::get_kerberos_defaults($defdom);

    my %param = ( formname => 'document.cu',
                  kerb_def_dom => $krbdefdom,
                  kerb_def_auth => $krbdef
                  );
    $loginscript  = &Apache::loncommon::authform_header(%param);
    $authformkrb  = &Apache::loncommon::authform_kerberos(%param);

    $ccuname=~s/\W//g;
    $ccdomain=~s/\W//g;
    my $pjump_def = &Apache::lonhtmlcommon::pjump_javascript_definition();
    my $dc_setcourse_code = '';
    my $loaditem;
    if ($ENV{'request.role'} =~ m-^dc\./(\w+)/$-) {
        my $dcdom = $1;
        $loaditem = qq|OnLoad="document.cu.coursedesc.value=''"|;
        $dc_setcourse_code = <<"ENDSCRIPT";
    function setCourse() {
        var course = document.cu.dccourse.value;
        if (course != "") {
            if (document.cu.dcdomain.value != document.cu.origdom.value) {
                alert("You must select a course in the current domain");
                return;
            } 
            var userrole = document.cu.role.options[document.cu.role.selectedIndex].value
            var section="";
            var numsections = 0;
            for (var i=0; i<document.cu.currsec.length; i++) {
                if (document.cu.currsec.options[i].selected == true ) {
                    if (document.cu.currsec.options[i].value != "" && document.cu.currsec.options[i].value != null) { 
                        if (numsections == 0) {
                            section = document.cu.currsec.options[i].value
                            numsections = 1;
                        }
                        else {
                            section = section + "," +  document.cu.currsec.options[i].value
                            numsections ++;
                        }
                    }
                }
            }
            if (document.cu.newsec.value != "" && document.cu.newsec.value != null) {
                if (numsections == 0) {
                    section = document.cu.newsec.value
                }
                else {
                    section = section + "," +  document.cu.newsec.value
                }
                var numsplit = document.cu.newsec.value.split(/,/g);
                numsections = numsections + numsplit.length;
            }
            if ((userrole == 'st') && (numsections > 1)) {
                alert("In each course, each user may only have one student role at a time. You had selected "+numsections+" sections.\\nPlease modify your selections so they include no more than one section.")
                return;
            }
            if ((userrole == 'cc') && (numsections > 0)) {
                alert("Section designations do not apply to Course Coordinator roles.\\nA course coordinator role will be added with access to all sections.");
                section = "";
            }
            var numcourse = getIndex(document.cu.dccourse);
            if (numcourse == "-1") {
                alert("There was a problem with your course selection");
                return
            }
            else { 
                var coursename = "_$dcdom"+"_"+course+"_"+userrole
                document.cu.elements[numcourse].name = "act"+coursename
                document.cu.elements[numcourse+4].name = "sec"+coursename
                document.cu.elements[numcourse+4].value = section
                document.cu.elements[numcourse+5].name = "start"+coursename
                document.cu.elements[numcourse+6].name = "end"+coursename
            }
        }
        document.cu.submit();
    }

    function getIndex(caller) {
        for (var i=0;i<document.cu.elements.length;i++) {
            if (document.cu.elements[i] == caller) {
                return i;
            }
        }
        return -1;
    }
ENDSCRIPT
    }
    my $html=&Apache::lonxml::xmlbegin();
    my $dochead =<<"ENDDOCHEAD";
$html
<head>
<title>The LearningOnline Network with CAPA</title>
<script type="text/javascript" language="Javascript">

    function pclose() {
        parmwin=window.open("/adm/rat/empty.html","LONCAPAparms",
                 "height=350,width=350,scrollbars=no,menubar=no");
        parmwin.close();
    }

    $pjump_def
    $dc_setcourse_code

    function dateset() {
        eval("document.cu."+document.cu.pres_marker.value+
            ".value=document.cu.pres_value.value");
        pclose();
    }

    function setSections() {
        var re1 = /^currsec_/;
        for (var i=0;i<document.cu.elements.length;i++) {
            var str = document.cu.elements[i].name;
            var checkcurr = str.match(re1);
            if (checkcurr != null) {
                var re2 = /^currsec_[a-zA-Z0-9]+_[a-zA-Z0-9]+_(\\w+)\$/;
                if (document.cu.elements[i-1].checked == true) {
                    var re2 = /^currsec_[a-zA-Z0-9]+_[a-zA-Z0-9]+_(\\w+)\$/;
                    match = re2.exec(str);
                    var role = match[1];
                    if (role == 'cc') {
                        alert("Section designations do not apply to Course Coordinator roles.\\nA course coordinator role will be added with access to all sections.");
                    }
                    else {
                        var sections = '';
                        var numsec = 0;
                        var sections;
                        for (var j=0; j<document.cu.elements[i].length; j++) {
                            if (document.cu.elements[i].options[j].selected == true ) {
                                if (document.cu.elements[i].options[j].value != "") {
                                    if (numsec == 0) {
                                        if (document.cu.elements[i].options[j].value != "") {
                                            sections = document.cu.elements[i].options[j].value;
                                            numsec ++;
                                        }
                                    }
                                    else {
                                        sections = sections + "," +  document.cu.elements[i].options[j].value
                                        numsec ++;
                                    }
                                }
                            }
                        }
                        if (numsec > 0) {
                            if (document.cu.elements[i+1].value != "" && document.cu.elements[i+1].value != null) {
                                sections = sections + "," +  document.cu.elements[i+1].value;
                            } 
                        }
                        else {
                            sections = document.cu.elements[i+1].value;    
                        }
                        var newsecs = document.cu.elements[i+1].value;
                        if (newsecs != null && newsecs != "") {
                            var numsplit = newsecs.split(/,/g);
                            numsec = numsec + numsplit.length;
                        }
                        if ((role == 'st') && (numsec > 1)) {
                            alert("In each course, each user may only have one student role at a time. You had selected "+numsec+" sections.\\nPlease modify your selections so they include no more than one section.")  
                            return;
                        }
                        else { 
                            document.cu.elements[i+2].value = sections;
                        }
                    }
                }
            }
        }
        document.cu.submit();
    }
</script>
</head>
ENDDOCHEAD
    $r->print(&Apache::loncommon::bodytag(
                                     'Create Users, Change User Privileges',undef,$loaditem));
    my $forminfo =<<"ENDFORMINFO";
<form action="/adm/createuser" method="post" name="cu">
<input type="hidden" name="phase"       value="update_user_data">
<input type="hidden" name="ccuname"     value="$ccuname">
<input type="hidden" name="ccdomain"    value="$ccdomain">
<input type="hidden" name="pres_value"  value="" >
<input type="hidden" name="pres_type"   value="" >
<input type="hidden" name="pres_marker" value="" >
ENDFORMINFO
    my $uhome=&Apache::lonnet::homeserver($ccuname,$ccdomain);
    my %incdomains; 
    my %inccourses;
    foreach (values(%Apache::lonnet::hostdom)) {
       $incdomains{$_}=1;
    }
    foreach (keys(%ENV)) {
	if ($_=~/^user\.priv\.cm\.\/(\w+)\/(\w+)/) {
	    $inccourses{$1.'_'.$2}=1;
        }
    }
    if ($uhome eq 'no_host') {
        my $home_server_list=
            '<option value="default" selected>default</option>'."\n".
                &Apache::loncommon::home_server_option_list($ccdomain);
        
	my %lt=&Apache::lonlocal::texthash(
                    'cnu'  => "Create New User",
                    'nu'   => "New User",
                    'id'   => "in domain",
                    'pd'   => "Personal Data",
                    'fn'   => "First Name",
                    'mn'   => "Middle Name",
                    'ln'   => "Last Name",
                    'gen'  => "Generation",
                    'idsn' => "ID/Student Number",
                    'hs'   => "Home Server",
                    'lg'   => "Login Data"
				       );
	my $genhelp=&Apache::loncommon::help_open_topic('Generation');
        &initialize_authen_forms();
	$r->print(<<ENDNEWUSER);
$dochead
<h1>$lt{'cnu'}</h1>
$forminfo
<h2>$lt{'nu'} "$ccuname" $lt{'id'} $ccdomain</h2>
<script type="text/javascript" language="Javascript">
$loginscript
</script>
<input type='hidden' name='makeuser' value='1' />
<h3>$lt{'pd'}</h3>
<p>
<table>
<tr><td>$lt{'fn'}  </td>
    <td><input type='text' name='cfirst'  size='15' /></td></tr>
<tr><td>$lt{'mn'} </td> 
    <td><input type='text' name='cmiddle' size='15' /></td></tr>
<tr><td>$lt{'ln'}   </td>
    <td><input type='text' name='clast'   size='15' /></td></tr>
<tr><td>$lt{'gen'}$genhelp</td>
    <td><input type='text' name='cgen'    size='5'  /></td></tr>
</table>
$lt{'idsn'} <input type='text' name='cstid'   size='15' /></p>
$lt{'hs'}: <select name="hserver" size="1"> $home_server_list </select>
<hr />
<h3>$lt{'lg'}</h3>
<p>$generalrule </p>
<p>$authformkrb </p>
<p>$authformint </p>
<p>$authformfsys</p>
<p>$authformloc </p>
ENDNEWUSER
    } else { # user already exists
	my %lt=&Apache::lonlocal::texthash(
                    'cup'  => "Change User Privileges",
                    'usr'  => "User",                    
                    'id'   => "in domain",
                    'fn'   => "first name",
                    'mn'   => "middle name",
                    'ln'   => "last name",
                    'gen'  => "generation"
				       );
	$r->print(<<ENDCHANGEUSER);
$dochead
<h1>$lt{'cup'}</h1>
$forminfo
<h2>$lt{'usr'} "$ccuname" $lt{'id'} "$ccdomain"</h2>
ENDCHANGEUSER
        # Get the users information
        my %userenv = &Apache::lonnet::get('environment',
                          ['firstname','middlename','lastname','generation'],
                          $ccdomain,$ccuname);
        my %rolesdump=&Apache::lonnet::dump('roles',$ccdomain,$ccuname);
        $r->print(<<END);
<hr />
<table border="2">
<tr>
<th>$lt{'fn'}</th><th>$lt{'mn'}</th><th>$lt{'ln'}</th><th>$lt{'gen'}</th>
</tr>
<tr>
END
        foreach ('firstname','middlename','lastname','generation') {
           if (&Apache::lonnet::allowed('mau',$ccdomain)) {
              $r->print(<<"END");            
<td><input type="text" name="c$_" value="$userenv{$_}" size="15" /></td>
END
           } else {
               $r->print('<td>'.$userenv{$_}.'</td>');
           }
        }
      $r->print(<<END);
</tr>
</table>
END
        # Build up table of user roles to allow revocation of a role.
        my ($tmp) = keys(%rolesdump);
        unless ($tmp =~ /^(con_lost|error)/i) {
           my $now=time;
	   my %lt=&Apache::lonlocal::texthash(
		    'rer'  => "Revoke Existing Roles",
                    'rev'  => "Revoke",                    
                    'del'  => "Delete",
		    'ren'  => "Re-Enable",
                    'rol'  => "Role",
                    'ext'  => "Extent",
                    'sta'  => "Start",
                    'end'  => "End"
				       );
           my (%roletext,%sortrole,%roleclass,%rolepriv);
	   foreach my $area (sort { my $a1=join('_',(split('_',$a))[1,0]);
				    my $b1=join('_',(split('_',$b))[1,0]);
				    return $a1 cmp $b1;
				} keys(%rolesdump)) {
               next if ($area =~ /^rolesdef/);
	       my $envkey=$area;
               my $role = $rolesdump{$area};
               my $thisrole=$area;
               $area =~ s/\_\w\w$//;
               my ($role_code,$role_end_time,$role_start_time) = 
                   split(/_/,$role);
# Is this a custom role? Get role owner and title.
	       my ($croleudom,$croleuname,$croletitle)=
	           ($role_code=~/^cr\/(\w+)\/(\w+)\/(\w+)$/);
               my $bgcol='ffffff';
               my $allowed=0;
               my $delallowed=0;
	       my $sortkey=$role_code;
	       my $class='Unknown';
               if ($area =~ /^\/(\w+)\/(\d\w+)/ ) {
		   $class='Course';
                   my ($coursedom,$coursedir) = ($1,$2);
		   $sortkey.="\0$1";
                   # $1.'_'.$2 is the course id (eg. 103_12345abcef103l3).
                   my %coursedata=
                       &Apache::lonnet::coursedescription($1.'_'.$2);
		   my $carea;
		   if (defined($coursedata{'description'})) {
		       $carea=$coursedata{'description'}.
                           '<br />'.&mt('Domain').': '.$coursedom.('&nbsp;'x8).
     &Apache::loncommon::syllabuswrapper('Syllabus',$coursedir,$coursedom);
		       $sortkey.="\0".$coursedata{'description'};
		   } else {
		       $carea=&mt('Unavailable course').': '.$area;
		       $sortkey.="\0".&mt('Unavailable course').': '.$area;
		   }
                   $inccourses{$1.'_'.$2}=1;
                   if ((&Apache::lonnet::allowed('c'.$role_code,$1.'/'.$2)) ||
                       (&Apache::lonnet::allowed('c'.$role_code,$ccdomain))) {
                       $allowed=1;
                   }
                   if ((&Apache::lonnet::allowed('dro',$1)) ||
                       (&Apache::lonnet::allowed('dro',$ccdomain))) {
                       $delallowed=1;
                   }
# - custom role. Needs more info, too
		   if ($croletitle) {
		       if (&Apache::lonnet::allowed('ccr',$1.'/'.$2)) {
			   $allowed=1;
			   $thisrole.='.'.$role_code;
		       }
		   }
                   # Compute the background color based on $area
                   $bgcol=$1.'_'.$2;
                   $bgcol=~s/[^7-9a-e]//g;
                   $bgcol=substr($bgcol.$bgcol.$bgcol.'ffffff',2,6);
                   if ($area=~/^\/(\w+)\/(\d\w+)\/(\w+)/) {
                       $carea.='<br>Section/Group: '.$3;
		       $sortkey.="\0$3";
                   }
                   $area=$carea;
               } else {
		   $sortkey.="\0".$area;
                   # Determine if current user is able to revoke privileges
                   if ($area=~ /^\/(\w+)\//) {
                       if ((&Apache::lonnet::allowed('c'.$role_code,$1)) ||
                       (&Apache::lonnet::allowed('c'.$role_code,$ccdomain))) {
                           $allowed=1;
                       }
                       if (((&Apache::lonnet::allowed('dro',$1))  ||
                            (&Apache::lonnet::allowed('dro',$ccdomain))) &&
                           ($role_code ne 'dc')) {
                           $delallowed=1;
                       }
                   } else {
                       if (&Apache::lonnet::allowed('c'.$role_code,'/')) {
                           $allowed=1;
                       }
                   }
		   if ($role_code eq 'ca' || $role_code eq 'au') {
		       $class='Construction Space';
		   } elsif ($role_code eq 'su') {
		       $class='System';
		   } else {
		       $class='Domain';
		   }
               }
               if ($role_code eq 'ca') {
                   $area=~/\/(\w+)\/(\w+)/;
		   if (&authorpriv($2,$1)) {
		       $allowed=1;
                   } else {
                       $allowed=0;
                   }
               }
	       $bgcol='77FF77';
               my $row = '';
               $row.='<tr bgcolor="#'.$bgcol.'"><td>';
               my $active=1;
               $active=0 if (($role_end_time) && ($now>$role_end_time));
               if (($active) && ($allowed)) {
                   $row.= '<input type="checkbox" name="rev:'.$thisrole.'">';
               } else {
                   if ($active) {
                      $row.='&nbsp;';
		   } else {
                      $row.=&mt('expired or revoked');
		   }
               }
	       $row.='</td><td>';
               if ($allowed && !$active) {
                   $row.= '<input type="checkbox" name="ren:'.$thisrole.'">';
               } else {
                   $row.='&nbsp;';
               }
	       $row.='</td><td>';
               if ($delallowed) {
                   $row.= '<input type="checkbox" name="del:'.$thisrole.'">';
               } else {
                   $row.='&nbsp;';
               }
	       my $plaintext='';
	       unless ($croletitle) {
		   $plaintext=&Apache::lonnet::plaintext($role_code);
	       } else {
	           $plaintext=
		"Customrole '$croletitle' defined by $croleuname\@$croleudom";
	       }
               $row.= '</td><td>'.$plaintext.
                      '</td><td>'.$area.
                      '</td><td>'.($role_start_time?localtime($role_start_time)
                                                   : '&nbsp;' ).
                      '</td><td>'.($role_end_time  ?localtime($role_end_time)
                                                   : '&nbsp;' )
                      ."</td></tr>\n";
	       $sortrole{$sortkey}=$envkey;
	       $roletext{$envkey}=$row;
	       $roleclass{$envkey}=$class;
               $rolepriv{$envkey}=$allowed;
               #$r->print($row);
           } # end of foreach        (table building loop)
           my $rolesdisplay = 0;
           my %output = ();
	   foreach my $type ('Construction Space','Course','Domain','System','Unknown') {
	       $output{$type} = '';
	       foreach my $which (sort {uc($a) cmp uc($b)} (keys(%sortrole))) {
		   if ( ($roleclass{$sortrole{$which}} =~ /^\Q$type\E/ ) && ($rolepriv{$sortrole{$which}}) ) { 
		       $output{$type}.=$roletext{$sortrole{$which}};
		   }
	       }
	       unless($output{$type} eq '') {
		   $output{$type} = "<tr bgcolor='#BBffBB'>".
			     "<td align='center' colspan='7'>".&mt($type)."</td>".
                              $output{$type};
                   $rolesdisplay = 1;
	       }
	   }
           if ($rolesdisplay == 1) {
               $r->print(<<END);
<hr />
<h3>$lt{'rer'}</h3>
<table>
<tr><th>$lt{'rev'}</th><th>$lt{'ren'}</th><th>$lt{'del'}</th><th>$lt{'rol'}</th><th>$lt{'e
xt'}</th><th>$lt{'sta'}</th><th>$lt{'end'}</th>
END
               foreach my $type ('Construction Space','Course','Domain','System','Unknown') {
                   if ($output{$type}) {
                       $r->print($output{$type}."\n");
                   }
               }
	       $r->print('</table>');
           }
        }  # End of unless
	my $currentauth=&Apache::lonnet::queryauthenticate($ccuname,$ccdomain);
	if ($currentauth=~/^krb(4|5):/) {
	    $currentauth=~/^krb(4|5):(.*)/;
	    my $krbdefdom=$1;
            my %param = ( formname => 'document.cu',
                          kerb_def_dom => $krbdefdom 
                          );
            $loginscript  = &Apache::loncommon::authform_header(%param);
	}
	# Check for a bad authentication type
        unless ($currentauth=~/^krb(4|5):/ or
		$currentauth=~/^unix:/ or
		$currentauth=~/^internal:/ or
		$currentauth=~/^localauth:/
		) { # bad authentication scheme
	    if (&Apache::lonnet::allowed('mau',$ENV{'request.role.domain'})) {
                &initialize_authen_forms();
		my %lt=&Apache::lonlocal::texthash(
                               'err'   => "ERROR",
			       'uuas'  => "This user has an unrecognized authentication scheme",
                               'sldb'  => "Please specify login data below",
                               'ld'    => "Login Data"
						   );
		$r->print(<<ENDBADAUTH);
<hr />
<script type="text/javascript" language="Javascript">
$loginscript
</script>
<font color='#ff0000'>$lt{'err'}:</font>
$lt{'uuas'} ($currentauth). $lt{'sldb'}.
<h3>$lt{'ld'}</h3>
<p>$generalrule</p>
<p>$authformkrb</p>
<p>$authformint</p>
<p>$authformfsys</p>
<p>$authformloc</p>
ENDBADAUTH
            } else { 
                # This user is not allowed to modify the users 
                # authentication scheme, so just notify them of the problem
		my %lt=&Apache::lonlocal::texthash(
                               'err'   => "ERROR",
			       'uuas'  => "This user has an unrecognized authentication scheme",
                               'adcs'  => "Please alert a domain coordinator of this situation"
						   );
		$r->print(<<ENDBADAUTH);
<hr />
<script type="text/javascript" language="Javascript">
$loginscript
</script>
<font color="#ff0000"> $lt{'err'}: </font>
$lt{'uuas'} ($currentauth). $lt{'adcs'}.
<hr />
ENDBADAUTH
            }
        } else { # Authentication type is valid
	    my $authformcurrent='';
	    my $authform_other='';
            &initialize_authen_forms();
	    if ($currentauth=~/^krb(4|5):/) {
		$authformcurrent=$authformkrb;
		$authform_other="<p>$authformint</p>\n".
                    "<p>$authformfsys</p><p>$authformloc</p>";
	    }
	    elsif ($currentauth=~/^internal:/) {
		$authformcurrent=$authformint;
		$authform_other="<p>$authformkrb</p>".
                    "<p>$authformfsys</p><p>$authformloc</p>";
	    }
	    elsif ($currentauth=~/^unix:/) {
		$authformcurrent=$authformfsys;
		$authform_other="<p>$authformkrb</p>".
                    "<p>$authformint</p><p>$authformloc;</p>";
	    }
	    elsif ($currentauth=~/^localauth:/) {
		$authformcurrent=$authformloc;
		$authform_other="<p>$authformkrb</p>".
                    "<p>$authformint</p><p>$authformfsys</p>";
	    }
            $authformcurrent.=' <i>(will override current values)</i><br />';
            if (&Apache::lonnet::allowed('mau',$ENV{'request.role.domain'})) {
		# Current user has login modification privileges
		my %lt=&Apache::lonlocal::texthash(
                               'ccld'  => "Change Current Login Data",
			       'enld'  => "Enter New Login Data"
						   );
		$r->print(<<ENDOTHERAUTHS);
<hr />
<script type="text/javascript" language="Javascript">
$loginscript
</script>
<h3>$lt{'ccld'}</h3>
<p>$generalrule</p>
<p>$authformnop</p>
<p>$authformcurrent</p>
<h3>$lt{'enld'}</h3>
$authform_other
ENDOTHERAUTHS
            }
        }  ## End of "check for bad authentication type" logic
    } ## End of new user/old user logic
    $r->print('<hr /><h3>'.&mt('Add Roles').'</h3>');
#
# Co-Author
# 
    if (&authorpriv($ENV{'user.name'},$ENV{'request.role.domain'}) &&
        ($ENV{'user.name'} ne $ccuname || $ENV{'user.domain'} ne $ccdomain)) {
        # No sense in assigning co-author role to yourself
	my $cuname=$ENV{'user.name'};
        my $cudom=$ENV{'request.role.domain'};
	   my %lt=&Apache::lonlocal::texthash(
		    'cs'   => "Construction Space",
                    'act'  => "Activate",                    
                    'rol'  => "Role",
                    'ext'  => "Extent",
                    'sta'  => "Start",
                    'end'  => "End",
                    'cau'  => "Co-Author",
                    'ssd'  => "Set Start Date",
                    'sed'  => "Set End Date"
				       );
       $r->print(<<ENDCOAUTH);
<h4>$lt{'cs'}</h4>
<table border=2><tr><th>$lt{'act'}</th><th>$lt{'rol'}</th><th>$lt{'ext'}</th>
<th>$lt{'sta'}</th><th>$lt{'end'}</th></tr>
<tr>
<td><input type=checkbox name="act_$cudom\_$cuname\_ca" /></td>
<td>$lt{'cau'}</td>
<td>$cudom\_$cuname</td>
<td><input type=hidden name="start_$cudom\_$cuname\_ca" value='' />
<a href=
"javascript:pjump('date_start','Start Date Co-Author',document.cu.start_$cudom\_$cuname\_ca.value,'start_$cudom\_$cuname\_ca','cu.pres','dateset')">$lt{'ssd'}</a></td>
<td><input type=hidden name="end_$cudom\_$cuname\_ca" value='' />
<a href=
"javascript:pjump('date_end','End Date Co-Author',document.cu.end_$cudom\_$cuname\_ca.value,'end_$cudom\_$cuname\_ca','cu.pres','dateset')">$lt{'sed'}</a></td>
</tr>
</table>
ENDCOAUTH
    }
#
# Domain level
#
    my $num_domain_level = 0;
    my $domaintext = 
    '<h4>'.&mt('Domain Level').'</h4>'.
    '<table border=2><tr><th>'.&mt('Activate').'</th><th>'.&mt('Role').'</th><th>'.&mt('Extent').'</th>'.
    '<th>'.&mt('Start').'</th><th>'.&mt('End').'</th></tr>';
    foreach ( sort( keys(%incdomains))) {
	my $thisdomain=$_;
        foreach ('dc','li','dg','au','sc') {
            if (&Apache::lonnet::allowed('c'.$_,$thisdomain)) {
               my $plrole=&Apache::lonnet::plaintext($_);
	       my %lt=&Apache::lonlocal::texthash(
                    'ssd'  => "Set Start Date",
                    'sed'  => "Set End Date"
				       );
               $num_domain_level ++;
               $domaintext .= <<"ENDDROW";
<tr>
<td><input type=checkbox name="act_$thisdomain\_$_"></td>
<td>$plrole</td>
<td>$thisdomain</td>
<td><input type=hidden name="start_$thisdomain\_$_" value=''>
<a href=
"javascript:pjump('date_start','Start Date $plrole',document.cu.start_$thisdomain\_$_.value,'start_$thisdomain\_$_','cu.pres','dateset')">$lt{'ssd'}</a></td>
<td><input type=hidden name="end_$thisdomain\_$_" value=''>
<a href=
"javascript:pjump('date_end','End Date $plrole',document.cu.end_$thisdomain\_$_.value,'end_$thisdomain\_$_','cu.pres','dateset')">$lt{'sed'}</a></td>
</tr>
ENDDROW
            }
        } 
    }
    $domaintext.='</table>';
    if ($num_domain_level > 0) {
        $r->print($domaintext);
    }
#
# Course level
#
    my $num_sections;

    if ($ENV{'request.role'} =~ m-^dc\./(\w+)/$-) {
        $r->print(&course_level_dc($1));
        $r->print('<hr /><input type="button" value="'.&mt('Modify User').'" onClick="setCourse()">'."\n");
    } else {
        $r->print(&course_level_table(%inccourses));
        $r->print('<hr /><input type="button" value="'.&mt('Modify User').'" onClick="setSections()">'."\n");
    }
    $r->print("</form></body></html>");
}

# ================================================================= Phase Three
sub update_user_data {
    my $r=shift;
    my $uhome=&Apache::lonnet::homeserver($ENV{'form.ccuname'},
                                          $ENV{'form.ccdomain'});
    # Error messages
    my $error     = '<font color="#ff0000">'.&mt('Error').':</font>';
    my $end       = '</body></html>';
    # Print header
    my $html=&Apache::lonxml::xmlbegin();
    $r->print(<<ENDTHREEHEAD);
$html
<head>
<title>The LearningOnline Network with CAPA</title>
</head>
ENDTHREEHEAD
    my $title;
    if (exists($ENV{'form.makeuser'})) {
	$title='Set Privileges for New User';
    } else {
        $title='Modify User Privileges';
    }
    $r->print(&Apache::loncommon::bodytag($title));
    # Check Inputs
    if (! $ENV{'form.ccuname'} ) {
	$r->print($error.&mt('No login name specified').'.'.$end);
	return;
    }
    if (  $ENV{'form.ccuname'}  =~/\W/) {
	$r->print($error.&mt('Invalid login name').'.  '.
		  &mt('Only letters, numbers, and underscores are valid').'.'.
		  $end);
	return;
    }
    if (! $ENV{'form.ccdomain'}       ) {
	$r->print($error.&mt('No domain specified').'.'.$end);
	return;
    }
    if (  $ENV{'form.ccdomain'} =~/\W/) {
	$r->print($error.&mt ('Invalid domain name').'.  '.
		  &mt('Only letters, numbers, and underscores are valid').'.'.
		  $end);
	return;
    }
    if (! exists($ENV{'form.makeuser'})) {
        # Modifying an existing user, so check the validity of the name
        if ($uhome eq 'no_host') {
            $r->print($error.&mt('Unable to determine home server for ').
                      $ENV{'form.ccuname'}.&mt(' in domain ').
                      $ENV{'form.ccdomain'}.'.');
            return;
        }
    }
    # Determine authentication method and password for the user being modified
    my $amode='';
    my $genpwd='';
    if ($ENV{'form.login'} eq 'krb') {
	$amode='krb';
	$amode.=$ENV{'form.krbver'};
	$genpwd=$ENV{'form.krbarg'};
    } elsif ($ENV{'form.login'} eq 'int') {
	$amode='internal';
	$genpwd=$ENV{'form.intarg'};
    } elsif ($ENV{'form.login'} eq 'fsys') {
	$amode='unix';
	$genpwd=$ENV{'form.fsysarg'};
    } elsif ($ENV{'form.login'} eq 'loc') {
	$amode='localauth';
	$genpwd=$ENV{'form.locarg'};
	$genpwd=" " if (!$genpwd);
    } elsif (($ENV{'form.login'} eq 'nochange') ||
             ($ENV{'form.login'} eq ''        )) { 
        # There is no need to tell the user we did not change what they
        # did not ask us to change.
        # If they are creating a new user but have not specified login
        # information this will be caught below.
    } else {
	    $r->print($error.&mt('Invalid login mode or password').$end);    
	    return;
    }
    if ($ENV{'form.makeuser'}) {
        # Create a new user
	my %lt=&Apache::lonlocal::texthash(
                    'cru'  => "Creating user",                    
                    'id'   => "in domain"
					   );
	$r->print(<<ENDNEWUSERHEAD);
<h3>$lt{'cru'} "$ENV{'form.ccuname'}" $lt{'id'} "$ENV{'form.ccdomain'}"</h3>
ENDNEWUSERHEAD
        # Check for the authentication mode and password
        if (! $amode || ! $genpwd) {
	    $r->print($error.&mt('Invalid login mode or password').$end);    
	    return;
	}
        # Determine desired host
        my $desiredhost = $ENV{'form.hserver'};
        if (lc($desiredhost) eq 'default') {
            $desiredhost = undef;
        } else {
            my %home_servers = &Apache::loncommon::get_library_servers
                ($ENV{'form.ccdomain'});  
            if (! exists($home_servers{$desiredhost})) {
                $r->print($error.&mt('Invalid home server specified'));
                return;
            }
        }
	# Call modifyuser
	my $result = &Apache::lonnet::modifyuser
	    ($ENV{'form.ccdomain'},$ENV{'form.ccuname'},$ENV{'form.cstid'},
             $amode,$genpwd,$ENV{'form.cfirst'},
             $ENV{'form.cmiddle'},$ENV{'form.clast'},$ENV{'form.cgen'},
             undef,$desiredhost
	     );
	$r->print(&mt('Generating user').': '.$result);
        my $home = &Apache::lonnet::homeserver($ENV{'form.ccuname'},
                                               $ENV{'form.ccdomain'});
        $r->print('<br />'.&mt('Home server').': '.$home.' '.
                  $Apache::lonnet::libserv{$home});
    } elsif (($ENV{'form.login'} ne 'nochange') &&
             ($ENV{'form.login'} ne ''        )) {
	# Modify user privileges
    my %lt=&Apache::lonlocal::texthash(
                    'usr'  => "User",                    
                    'id'   => "in domain"
				       );
	$r->print(<<ENDMODIFYUSERHEAD);
<h2>$lt{'usr'} "$ENV{'form.ccuname'}" $lt{'id'} "$ENV{'form.ccdomain'}"</h2>
ENDMODIFYUSERHEAD
        if (! $amode || ! $genpwd) {
	    $r->print($error.'Invalid login mode or password'.$end);    
	    return;
	}
	# Only allow authentification modification if the person has authority
	if (&Apache::lonnet::allowed('mau',$ENV{'form.ccdomain'})) {
	    $r->print('Modifying authentication: '.
                      &Apache::lonnet::modifyuserauth(
		       $ENV{'form.ccdomain'},$ENV{'form.ccuname'},
                       $amode,$genpwd));
            $r->print('<br>'.&mt('Home server').': '.&Apache::lonnet::homeserver
		  ($ENV{'form.ccuname'},$ENV{'form.ccdomain'}));
	} else {
	    # Okay, this is a non-fatal error.
	    $r->print($error.&mt('You do not have the authority to modify this users authentification information').'.');    
	}
    }
    ##
    if (! $ENV{'form.makeuser'} ) {
        # Check for need to change
        my %userenv = &Apache::lonnet::get
            ('environment',['firstname','middlename','lastname','generation'],
             $ENV{'form.ccdomain'},$ENV{'form.ccuname'});
        my ($tmp) = keys(%userenv);
        if ($tmp =~ /^(con_lost|error)/i) { 
            %userenv = ();
        }
        # Check to see if we need to change user information
        foreach ('firstname','middlename','lastname','generation') {
            # Strip leading and trailing whitespace
            $ENV{'form.c'.$_} =~ s/(\s+$|^\s+)//g; 
        }
        if (&Apache::lonnet::allowed('mau',$ENV{'form.ccdomain'}) && 
            ($ENV{'form.cfirstname'}  ne $userenv{'firstname'}  ||
             $ENV{'form.cmiddlename'} ne $userenv{'middlename'} ||
             $ENV{'form.clastname'}   ne $userenv{'lastname'}   ||
             $ENV{'form.cgeneration'} ne $userenv{'generation'} )) {
            # Make the change
            my %changeHash;
            $changeHash{'firstname'}  = $ENV{'form.cfirstname'};
            $changeHash{'middlename'} = $ENV{'form.cmiddlename'};
            $changeHash{'lastname'}   = $ENV{'form.clastname'};
            $changeHash{'generation'} = $ENV{'form.cgeneration'};
            my $putresult = &Apache::lonnet::put
                ('environment',\%changeHash,
                 $ENV{'form.ccdomain'},$ENV{'form.ccuname'});
            if ($putresult eq 'ok') {
            # Tell the user we changed the name
		my %lt=&Apache::lonlocal::texthash(
                             'uic'  => "User Information Changed",             
                             'frst' => "first",
                             'mddl' => "middle",
                             'lst'  => "last",
			     'gen'  => "generation",
                             'prvs' => "Previous",
                             'chto' => "Changed To"
						   );
                $r->print(<<"END");
<table border="2">
<caption>$lt{'uic'}</caption>
<tr><th>&nbsp;</th>
    <th>$lt{'frst'}</th>
    <th>$lt{'mddl'}</th>
    <th>$lt{'lst'}</th>
    <th>$lt{'gen'}</th></tr>
<tr><td>$lt{'prvs'}</td>
    <td>$userenv{'firstname'}  </td>
    <td>$userenv{'middlename'} </td>
    <td>$userenv{'lastname'}   </td>
    <td>$userenv{'generation'} </td></tr>
<tr><td>$lt{'chto'}</td>
    <td>$ENV{'form.cfirstname'}  </td>
    <td>$ENV{'form.cmiddlename'} </td>
    <td>$ENV{'form.clastname'}   </td>
    <td>$ENV{'form.cgeneration'} </td></tr>
</table>
END
            } else { # error occurred
                $r->print("<h2>".&mt('Unable to successfully change environment for')." ".
                      $ENV{'form.ccuname'}." ".&mt('in domain')." ".
                      $ENV{'form.ccdomain'}."</h2>");
            }
        }  else { # End of if ($ENV ... ) logic
            # They did not want to change the users name but we can
            # still tell them what the name is
	    my %lt=&Apache::lonlocal::texthash(
                           'usr'  => "User",                    
                           'id'   => "in domain",
                           'gen'  => "Generation"
					       );
                $r->print(<<"END");
<h2>$lt{'usr'} "$ENV{'form.ccuname'}" $lt{'id'} "$ENV{'form.ccdomain'}"</h2>
<h4>$userenv{'firstname'} $userenv{'middlename'} $userenv{'lastname'} </h4>
<h4>$lt{'gen'}: $userenv{'generation'}</h4>
END
        }
    }
    ##
    my $now=time;
    $r->print('<h3>'.&mt('Modifying Roles').'</h3>');
    foreach (keys (%ENV)) {
	next if (! $ENV{$_});
	# Revoke roles
	if ($_=~/^form\.rev/) {
	    if ($_=~/^form\.rev\:([^\_]+)\_([^\_\.]+)$/) {
# Revoke standard role
	        $r->print(&mt('Revoking').' '.$2.' in '.$1.': <b>'.
                     &Apache::lonnet::revokerole($ENV{'form.ccdomain'},
                     $ENV{'form.ccuname'},$1,$2).'</b><br>');
		if ($2 eq 'st') {
		    $1=~/^\/(\w+)\/(\w+)/;
		    my $cid=$1.'_'.$2;
		    $r->print(&mt('Drop from classlist').': <b>'.
			 &Apache::lonnet::critical('put:'.
                             $ENV{'course.'.$cid.'.domain'}.':'.
	                     $ENV{'course.'.$cid.'.num'}.':classlist:'.
                         &Apache::lonnet::escape($ENV{'form.ccuname'}.':'.
                             $ENV{'form.ccdomain'}).'='.
                         &Apache::lonnet::escape($now.':'),
	                     $ENV{'course.'.$cid.'.home'}).'</b><br>');
		}
	    } 
	    if ($_=~/^form\.rev\:([^\_]+)\_cr\.cr\/(\w+)\/(\w+)\/(\w+)$/) {
# Revoke custom role
		$r->print(&mt('Revoking custom role').
                      ' '.$4.' by '.$3.'@'.$2.' in '.$1.': <b>'.
                      &Apache::lonnet::revokecustomrole($ENV{'form.ccdomain'},
				  $ENV{'form.ccuname'},$1,$2,$3,$4).
		'</b><br>');
	    }
	} elsif ($_=~/^form\.del/) {
	    if ($_=~/^form\.del\:([^\_]+)\_([^\_]+)$/) {
	        $r->print(&mt('Deleting').' '.$2.' in '.$1.': '.
                     &Apache::lonnet::assignrole($ENV{'form.ccdomain'},
                     $ENV{'form.ccuname'},$1,$2,$now,0,1).'<br>');
		if ($2 eq 'st') {
		    $1=~/^\/(\w+)\/(\w+)/;
		    my $cid=$1.'_'.$2;
		    $r->print(&mt('Drop from classlist').': <b>'.
			 &Apache::lonnet::critical('put:'.
                             $ENV{'course.'.$cid.'.domain'}.':'.
	                     $ENV{'course.'.$cid.'.num'}.':classlist:'.
                         &Apache::lonnet::escape($ENV{'form.ccuname'}.':'.
                             $ENV{'form.ccdomain'}).'='.
                         &Apache::lonnet::escape($now.':'),
	                     $ENV{'course.'.$cid.'.home'}).'</b><br>');
		}
	    } 
	} elsif ($_=~/^form\.ren/) {
            my $udom = $ENV{'form.ccdomain'};
            my $uname = $ENV{'form.ccuname'};
	    if ($_=~/^form\.ren\:([^\_]+)\_([^\_]+)$/) {
                my $url = $1;
                my $role = $2;
                my $logmsg;
                my $output;
                if ($role eq 'st') {
                    if ($url =~ m-^/(\w+)/(\w+)/?(\w*)$-) {
                        my $result = &commit_studentrole(\$logmsg,$udom,$uname,$url,$role,$now,0,$1,$2,$3);
                        if (($result =~ /^error/) || ($result eq 'not_in_class') || ($result eq 'unknown_course')) {
                            $output = "Error: $result\n";
                        } else {
                            $output = &mt('Assigning').' '.$role.' in '.$url.
                                      &mt('starting').' '.localtime($now).
                                      ': <br />'.$logmsg.'<br />'.
                                      &mt('Add to classlist').': <b>ok</b><br />';
                        }
                    }
                } else {
		    my $result=&Apache::lonnet::assignrole($ENV{'form.ccdomain'},
                               $ENV{'form.ccuname'},$url,$role,0,$now);
		    $output = &mt('Re-Enabling [_1] in [_2]: [_3]',
			      $role,$url,$result).'<br />';
		}
                $r->print($output);
	    } 
	} elsif ($_=~/^form\.act/) {
            my $udom = $ENV{'form.ccdomain'};
            my $uname = $ENV{'form.ccuname'};
	    if ($_=~/^form\.act\_([^\_]+)\_([^\_]+)\_cr_cr_([^\_]+)_(\w+)_([^\_]+)$/) {
                # Activate a custom role
		my ($one,$two,$three,$four,$five)=($1,$2,$3,$4,$5);
		my $url='/'.$one.'/'.$two;
		my $full=$one.'_'.$two.'_cr_cr_'.$three.'_'.$four.'_'.$five;

                my $start = ( $ENV{'form.start_'.$full} ?
                              $ENV{'form.start_'.$full} :
                              $now );
                my $end   = ( $ENV{'form.end_'.$full} ?
                              $ENV{'form.end_'.$full} :
                              0 );
                                                                                     
                # split multiple sections
                my %sections = ();
                my $num_sections = &build_roles($ENV{'form.sec_'.$full},\%sections,$5);
                if ($num_sections == 0) {
                    $r->print(&commit_customrole($udom,$uname,$url,$three,$four,$five,$start,$end));
                } else {
                    foreach (sort {$a cmp $b} keys %sections) {
                        my $securl = $url.'/'.$_;
		        $r->print(&commit_customrole($udom,$uname,$securl,$three,$four,$five,$start,$end));
                    }
                }
	    } elsif ($_=~/^form\.act\_([^\_]+)\_(\w+)\_([^\_]+)$/) {
		# Activate roles for sections with 3 id numbers
		# set start, end times, and the url for the class
		my ($one,$two,$three)=($1,$2,$3);
		my $start = ( $ENV{'form.start_'.$one.'_'.$two.'_'.$three} ? 
			      $ENV{'form.start_'.$one.'_'.$two.'_'.$three} : 
			      $now );
		my $end   = ( $ENV{'form.end_'.$one.'_'.$two.'_'.$three} ? 
			      $ENV{'form.end_'.$one.'_'.$two.'_'.$three} :
			      0 );
		my $url='/'.$one.'/'.$two;
                my $type = 'three';
                # split multiple sections
                my %sections = ();
                my $num_sections = &build_roles($ENV{'form.sec_'.$one.'_'.$two.'_'.$three},\%sections,$three);
                if ($num_sections == 0) {
                    $r->print(&commit_standardrole($udom,$uname,$url,$three,$start,$end,$one,$two,''));
                } else {
                    my $emptysec = 0;
                    foreach my $sec (sort {$a cmp $b} keys %sections) {
                        $sec =~ s/\W//g;
                        if ($sec ne '') {  
                            my $securl = $url.'/'.$sec;
                            $r->print(&commit_standardrole($udom,$uname,$securl,$three,$start,$end,$one,$two,$sec));
                        } else {
                            $emptysec = 1;
                        }
                    }
                    if ($emptysec) {
                        $r->print(&commit_standardrole($udom,$uname,$url,$three,$start,$end,$one,$two,''));
                    }
                } 
	    } elsif ($_=~/^form\.act\_([^\_]+)\_([^\_]+)$/) {
		# Activate roles for sections with two id numbers
		# set start, end times, and the url for the class
		my $start = ( $ENV{'form.start_'.$1.'_'.$2} ? 
			      $ENV{'form.start_'.$1.'_'.$2} : 
			      $now );
		my $end   = ( $ENV{'form.end_'.$1.'_'.$2} ? 
			      $ENV{'form.end_'.$1.'_'.$2} :
			      0 );
		my $url='/'.$1.'/';
                # split multiple sections
                my %sections = ();
                my $num_sections = &build_roles($ENV{'form.sec_'.$1.'_'.$2},\%sections,$2);
                if ($num_sections == 0) {
                    $r->print(&commit_standardrole($udom,$uname,$url,$2,$start,$end,$1,undef,''));
                } else {
                    my $emptysec = 0;
                    foreach my $sec (sort {$a cmp $b} keys %sections) {
                        if ($sec ne '') {
                            my $securl = $url.'/'.$sec;
                            $r->print(&commit_standardrole($udom,$uname,$securl,$2,$start,$end,$1,undef,$sec));
                        } else {
                            $emptysec = 1;
                        }
                    }
                    if ($emptysec) {
                        $r->print(&commit_standardrole($udom,$uname,$url,$2,$start,$end,$1,undef,''));
                    }
                }
	    } else {
		$r->print('<p>'.&mt('ERROR').': '.&mt('Unknown command').' <tt>'.$_.'</tt></p><br>');
            }
	} 
    } # End of foreach (keys(%ENV))
# Flush the course logs so reverse user roles immediately updated
    &Apache::lonnet::flushcourselogs();
    $r->print('</body></html>');
}

sub commit_customrole {
    my ($udom,$uname,$url,$three,$four,$five,$start,$end) = @_;
    my $output = &mt('Assigning custom role').' "'.$five.'" by '.$four.'@'.$three.' in '.$url.
                         ($start?', '.&mt('starting').' '.localtime($start):'').
                         ($end?', ending '.localtime($end):'').': <b>'.
              &Apache::lonnet::assigncustomrole(
                 $udom,$uname,$url,$three,$four,$five,$end,$start).
                 '</b><br>';
    return $output;
}

sub commit_standardrole {
    my ($udom,$uname,$url,$three,$start,$end,$one,$two,$sec) = @_;
    my $output;
    my $logmsg;
    if ($three eq 'st') {
        my $result = &commit_studentrole(\$logmsg,$udom,$uname,$url,$three,$start,$end,$one,$two,$sec);
        if (($result =~ /^error/) || ($result eq 'not_in_class') || ($result eq 'unknown_course')) {
            $output = "Error: $result\n"; 
        } else {
            $output = &mt('Assigning').' '.$three.' in '.$url.
               ($start?', '.&mt('starting').' '.localtime($start):'').
               ($end?', '.&mt('ending').' '.localtime($end):'').
               ': <b>'.$result.'</b><br />'.
               &mt('Add to classlist').': <b>ok</b><br />';
        }
    } else {
        $output = &mt('Assigning').' '.$three.' in '.$url.
               ($start?', '.&mt('starting').' '.localtime($start):'').
               ($end?', '.&mt('ending').' '.localtime($end):'').': <b>'.
               &Apache::lonnet::assignrole(
                   $udom,$uname,$url,$three,$end,$start).
                   '</b><br>';
    }
    return $output;
}

sub commit_studentrole {
    my ($logmsg,$udom,$uname,$url,$three,$start,$end,$one,$two,$sec) = @_;
    my $linefeed =  '<br />'."\n";
    my $result;
    if (defined($one) && defined($two)) {
        my $cid=$one.'_'.$two;
        my $oldsec=&Apache::lonnet::getsection($udom,$uname,$cid);
        my $secchange = 0;
        my $expire_role_result;
        my $modify_section_result;
        unless ($oldsec eq '-1') {
            unless ($sec eq $oldsec) {
                $secchange = 1;
                my $uurl='/'.$cid;
                $uurl=~s/\_/\//g;
                if ($oldsec) {
                    $uurl.='/'.$oldsec;
                }
                $expire_role_result = &Apache::lonnet::assignrole($udom,$uname,$uurl,'st',time);
                $result = $expire_role_result;
            }
        }
        if (($expire_role_result eq 'ok') || ($secchange == 0)) {
            $modify_section_result = &Apache::lonnet::modify_student_enrollment($udom,$uname,undef,undef,undef,undef,undef,$sec,$end,$start,'','',$cid);
            if ($modify_section_result =~ /^ok/) {
                if ($secchange == 1) {
                    $$logmsg .= "Section for $uname switched from old section: $oldsec to new section: $sec".$linefeed;
                } elsif ($oldsec eq '-1') {
                    $$logmsg .= "New student role for $uname in section $sec in course $cid".$linefeed;
                } else {
                    $$logmsg .= "Student $uname assigned to unchanged section $sec in course $cid".$linefeed;
                }
            } else {
                $$logmsg .= "Error when attempting section change for $uname from old section $oldsec to new section: $sec in course $cid -error: $modify_section_result".$linefeed;
            }
            $result = $modify_section_result;
        } elsif ($secchange == 1) {
            $$logmsg .= "Error when attempting to expire role for $uname in old section $oldsec in course $cid -error: $expire_role_result".$linefeed;
        }
    } else {
        $$logmsg .= "Incomplete course id defined.  Addition of user $uname from domain $udom to course $one\_$two, section $sec not completed.$linefeed";
        $result = "Error: incomplete course id\n";
    }
    return $result;
}

sub build_roles {
    my ($sectionstr,$sections,$role) = @_;
    my $num_sections = 0;
    if ($sectionstr=~ /,/) {
        my @secnums = split/,/,$sectionstr;
        if ($role eq 'st') {
            $secnums[0] =~ s/\W//g;
            $$sections{$secnums[0]} = 1;
            $num_sections = 1;
        } else {
            foreach my $sec (@secnums) {
                $sec =~ ~s/\W//g;
                unless ($sec eq "") {
                    if (exists($$sections{$sec})) {
                        $$sections{$sec} ++;
                    } else {
                        $$sections{$sec} = 1;
                        $num_sections ++;
                    }
                }
            }
        }
    } else {
        $sectionstr=~s/\W//g;
        unless ($sectionstr eq '') {
            $$sections{$sectionstr} = 1;
            $num_sections ++;
        }
    }
                                                                                     
    return $num_sections;
}

# ========================================================== Custom Role Editor

sub custom_role_editor {
    my $r=shift;
    my $rolename=$ENV{'form.rolename'};

    if ($rolename eq 'make new role') {
	$rolename=$ENV{'form.newrolename'};
    }

    $rolename=~s/[^A-Za-z0-9]//gs;

    unless ($rolename) {
	&print_username_entry_form($r);
        return;
    }

    $r->print(&Apache::loncommon::bodytag(
                     'Create Users, Change User Privileges').'<h2>');
    my $syspriv='';
    my $dompriv='';
    my $coursepriv='';
    my ($rdummy,$roledef)=
			 &Apache::lonnet::get('roles',["rolesdef_$rolename"]);
# ------------------------------------------------------- Does this role exist?
    if (($rdummy ne 'con_lost') && ($roledef ne '')) {
	$r->print(&mt('Existing Role').' "');
# ------------------------------------------------- Get current role privileges
	($syspriv,$dompriv,$coursepriv)=split(/\_/,$roledef);
    } else {
	$r->print(&mt('New Role').' "');
	$roledef='';
    }
    $r->print($rolename.'"</h2>');
# ------------------------------------------------------- What can be assigned?
    my %full=();
    my %courselevel=();
    my %courselevelcurrent=();
    foreach (split(/\:/,$Apache::lonnet::pr{'cr:c'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict='F'; }
        $courselevel{$priv}=$restrict;
        if ($coursepriv=~/\:$priv/) {
	    $courselevelcurrent{$priv}=1;
	}
	$full{$priv}=1;
    }
    my %domainlevel=();
    my %domainlevelcurrent=();
    foreach (split(/\:/,$Apache::lonnet::pr{'cr:d'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict='F'; }
        $domainlevel{$priv}=$restrict;
        if ($dompriv=~/\:$priv/) {
	    $domainlevelcurrent{$priv}=1;
	}
	$full{$priv}=1;
    }
    my %systemlevel=();
    my %systemlevelcurrent=();
    foreach (split(/\:/,$Apache::lonnet::pr{'cr:s'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict='F'; }
        $systemlevel{$priv}=$restrict;
        if ($syspriv=~/\:$priv/) {
	    $systemlevelcurrent{$priv}=1;
	}
	$full{$priv}=1;
    }
    my %lt=&Apache::lonlocal::texthash(
		    'prv'  => "Privilege",
		    'crl'  => "Course Level",
                    'dml'  => "Domain Level",
                    'ssl'  => "System Level"
				       );
    $r->print(<<ENDCCF);
<form method="post">
<input type="hidden" name="phase" value="set_custom_roles" />
<input type="hidden" name="rolename" value="$rolename" />
<table border="2">
<tr><th>$lt{'prv'}</th><th>$lt{'crl'}</th><th>$lt{'dml'}</th>
<th>$lt{'ssl'}</th></tr>
ENDCCF
    foreach (sort keys %full) {
	$r->print('<tr><td>'.&Apache::lonnet::plaintext($_).'</td><td>'.
    ($courselevel{$_}?'<input type="checkbox" name="'.$_.':c" '.
    ($courselevelcurrent{$_}?'checked="1"':'').' />':'&nbsp;').
    '</td><td>'.
    ($domainlevel{$_}?'<input type="checkbox" name="'.$_.':d" '.
    ($domainlevelcurrent{$_}?'checked="1"':'').' />':'&nbsp;').
    '</td><td>'.
    ($systemlevel{$_}?'<input type="checkbox" name="'.$_.':s" '.
    ($systemlevelcurrent{$_}?'checked="1"':'').' />':'&nbsp;').
    '</td></tr>');
    }
    $r->print(
   '<table><input type="submit" value="'.&mt('Define Role').'" /></form></body></html>');
}

# ---------------------------------------------------------- Call to definerole
sub set_custom_role {
    my $r=shift;

    my $rolename=$ENV{'form.rolename'};

    $rolename=~s/[^A-Za-z0-9]//gs;

    unless ($rolename) {
	&print_username_entry_form($r);
        return;
    }

    $r->print(&Apache::loncommon::bodytag(
                     'Create Users, Change User Privileges').'<h2>');
    my ($rdummy,$roledef)=
			 &Apache::lonnet::get('roles',["rolesdef_$rolename"]);
# ------------------------------------------------------- Does this role exist?
    if (($rdummy ne 'con_lost') && ($roledef ne '')) {
	$r->print(&mt('Existing Role').' "');
    } else {
	$r->print(&mt('New Role').' "');
	$roledef='';
    }
    $r->print($rolename.'"</h2>');
# ------------------------------------------------------- What can be assigned?
    my $sysrole='';
    my $domrole='';
    my $courole='';

    foreach (split(/\:/,$Apache::lonnet::pr{'cr:c'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict=''; }
        if ($ENV{'form.'.$priv.':c'}) {
	    $courole.=':'.$_;
	}
    }

    foreach (split(/\:/,$Apache::lonnet::pr{'cr:d'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict=''; }
        if ($ENV{'form.'.$priv.':d'}) {
	    $domrole.=':'.$_;
	}
    }

    foreach (split(/\:/,$Apache::lonnet::pr{'cr:s'})) {
	my ($priv,$restrict)=split(/\&/,$_);
        unless ($restrict) { $restrict=''; }
        if ($ENV{'form.'.$priv.':s'}) {
	    $sysrole.=':'.$_;
	}
    }
    $r->print('<br />Defining Role: '.
	   &Apache::lonnet::definerole($rolename,$sysrole,$domrole,$courole));
    if ($ENV{'request.course.id'}) {
        my $url='/'.$ENV{'request.course.id'};
        $url=~s/\_/\//g;
	$r->print('<br />'.&mt('Assigning Role to Self').': '.
	      &Apache::lonnet::assigncustomrole($ENV{'user.domain'},
						$ENV{'user.name'},
						$url,
						$ENV{'user.domain'},
						$ENV{'user.name'},
						$rolename));
    }
    $r->print('</body></html>');
}

# ================================================================ Main Handler
sub handler {
    my $r = shift;

    if ($r->header_only) {
       &Apache::loncommon::content_type($r,'text/html');
       $r->send_http_header;
       return OK;
    }

    if ((&Apache::lonnet::allowed('cta',$ENV{'request.course.id'})) ||
        (&Apache::lonnet::allowed('cin',$ENV{'request.course.id'})) || 
        (&Apache::lonnet::allowed('ccr',$ENV{'request.course.id'})) || 
        (&Apache::lonnet::allowed('cep',$ENV{'request.course.id'})) ||
        (&Apache::lonnet::allowed('cca',$ENV{'request.role.domain'})) ||
        (&Apache::lonnet::allowed('mau',$ENV{'request.role.domain'}))) {
       &Apache::loncommon::content_type($r,'text/html');
       $r->send_http_header;
       unless ($ENV{'form.phase'}) {
	   &print_username_entry_form($r);
       }
       if ($ENV{'form.phase'} eq 'get_user_info') {
           &print_user_modification_page($r);
       } elsif ($ENV{'form.phase'} eq 'update_user_data') {
           &update_user_data($r);
       } elsif ($ENV{'form.phase'} eq 'selected_custom_edit') {
           &custom_role_editor($r);
       } elsif ($ENV{'form.phase'} eq 'set_custom_roles') {
	   &set_custom_role($r);
       }
   } else {
      $ENV{'user.error.msg'}=
        "/adm/createuser:mau:0:0:Cannot modify user data";
      return HTTP_NOT_ACCEPTABLE; 
   }
   return OK;
} 

#-------------------------------------------------- functions for &phase_two
sub course_level_table {
    my (%inccourses) = @_;
    my $table = '';
# Custom Roles?

    my %customroles=&my_custom_roles();
    my %lt=&Apache::lonlocal::texthash(
            'exs'  => "Existing sections",
            'new'  => "Define new section",
            'ssd'  => "Set Start Date",
            'sed'  => "Set End Date",
            'crl'  => "Course Level",
            'act'  => "Activate",
            'rol'  => "Role",
            'ext'  => "Extent",
            'grs'  => "Group/Section",
            'sta'  => "Start",
            'end'  => "End"
    );

    foreach (sort( keys(%inccourses))) {
	my $thiscourse=$_;
	my $protectedcourse=$_;
	$thiscourse=~s:_:/:g;
	my %coursedata=&Apache::lonnet::coursedescription($thiscourse);
	my $area=$coursedata{'description'};
	if (!defined($area)) { $area=&mt('Unavailable course').': '.$_; }
	my $bgcol=$thiscourse;
	$bgcol=~s/[^7-9a-e]//g;
	$bgcol=substr($bgcol.$bgcol.$bgcol.'ffffff',2,6);
	my ($domain,$cnum)=split(/\//,$thiscourse);
        my %sections_count = ();
        my $num_sections = 0;
        if (defined($ENV{'request.course.id'})) {
            if ($ENV{'request.course.id'} eq $domain.'_'.$cnum) {
                $num_sections = &Apache::loncommon::get_sections($domain,$cnum,\%sections_count);
            }
        }
	foreach  ('st','ta','ep','ad','in','cc') {
	    if (&Apache::lonnet::allowed('c'.$_,$thiscourse)) {
		my $plrole=&Apache::lonnet::plaintext($_);
		$table .= <<ENDEXTENT;
<tr bgcolor="#$bgcol">
<td><input type="checkbox" name="act_$protectedcourse\_$_"></td>
<td>$plrole</td>
<td>$area<br />Domain: $domain</td>
ENDEXTENT
	        if ($_ ne 'cc') {
                    if ($num_sections > 0) {
                        my $currsec = &course_sections($num_sections,\%sections_count,$protectedcourse.'_'.$_);
                        $table .= 
                    '<td><table border="0" cellspacing="0" cellpadding="0">'.
                     '<tr><td valign="top">'.$lt{'exs'}.'<br />'.
                        $currsec.'</td>'.
                     '<td>&nbsp;&nbsp;</td>'.
                     '<td valign="top">&nbsp;'.$lt{'new'}.'<br />'.
                     '<input type="text" name="newsec_'.$protectedcourse.'_'.$_.'" value="" /></td>'.
                     '<input type="hidden" '.
                     'name="sec_'.$protectedcourse.'_'.$_.'"></td>'.
                     '</tr></table></td>';
                    } else {
                        $table .= '<td><input type="text" size="10" '.
                     'name="sec_'.$protectedcourse.'_'.$_.'"></td>';
                    }
                } else { 
		    $table .= '<td>&nbsp</td>';
                }
		$table .= <<ENDTIMEENTRY;
<td><input type=hidden name="start_$protectedcourse\_$_" value=''>
<a href=
"javascript:pjump('date_start','Start Date $plrole',document.cu.start_$protectedcourse\_$_.value,'start_$protectedcourse\_$_','cu.pres','dateset')">$lt{'ssd'}</a></td>
<td><input type=hidden name="end_$protectedcourse\_$_" value=''>
<a href=
"javascript:pjump('date_end','End Date $plrole',document.cu.end_$protectedcourse\_$_.value,'end_$protectedcourse\_$_','cu.pres','dateset')">$lt{'sed'}</a></td>
ENDTIMEENTRY
                $table.= "</tr>\n";
            }
        }
        foreach (sort keys %customroles) {
	    if (&Apache::lonnet::allowed('ccr',$thiscourse)) {
		my $plrole=$_;
                my $customrole=$protectedcourse.'_cr_cr_'.$ENV{'user.domain'}.
		    '_'.$ENV{'user.name'}.'_'.$plrole;
		$table .= <<END;
<tr bgcolor="#$bgcol">
<td><input type="checkbox" name="act_$customrole"></td>
<td>$plrole</td>
<td>$area</td>
END
                if ($num_sections > 0) {
                    my $currsec = &course_sections($num_sections,\%sections_count,$customrole);
                    $table.=
                   '<td><table border="0" cellspacing="0" cellpadding="0">'.
                   '<tr><td valign="top">'.$lt{'exs'}.'<br />'.
                     $currsec.'</td>'.
                   '<td>&nbsp;&nbsp;</td>'.
                   '<td valign="top">&nbsp;'.$lt{'new'}.'<br />'.
                   '<input type="text" name="newsec_'.$customrole.'" value="" /></td>'.
                   '<input type="hidden" '.
                   'name="sec_'.$customrole.'"></td>'.
                   '</tr></table></td>';
                } else {
                    $table .= '<td><input type="text" size="10" '.
                     'name="sec_'.$customrole.'"></td>';
                }
                $table .= <<ENDENTRY;
<td><input type=hidden name="start_$customrole" value=''>
<a href=
"javascript:pjump('date_start','Start Date $plrole',document.cu.start_$customrole.value,'start_$customrole','cu.pres','dateset')">$lt{'ssd'}</a></td>
<td><input type=hidden name="end_$customrole" value=''>
<a href=
"javascript:pjump('date_end','End Date $plrole',document.cu.end_$customrole.value,'end_$customrole','cu.pres','dateset')">$lt{'sed'}</a></td></tr>
ENDENTRY
           }
	}
    }
    return '' if ($table eq ''); # return nothing if there is nothing 
                                 # in the table
    my $result = <<ENDTABLE;
<h4>$lt{'crl'}</h4>
<table border=2><tr><th>$lt{'act'}</th><th>$lt{'rol'}</th><th>$lt{'ext'}</th>
<th>$lt{'grs'}</th><th>$lt{'sta'}</th><th>$lt{'end'}</th></tr>
$table
</table>
ENDTABLE
    return $result;
}

sub course_sections {
    my ($num_sections,$sections_count,$role) = @_;
    my $output = '';
    my @sections = (sort {$a <=> $b} keys %{$sections_count});
    if ($num_sections == 1) {
        $output = '<select name="currsec_'.$role.'" >'."\n".
                  '  <option value="">Select</option>'."\n".
                  '  <option value="">No section</option>'."\n".
                  '  <option value="'.$sections[0].'" >'.$sections[0].'</option>'."\n";
    } else {
        $output = '<select name="currsec_'.$role.'" ';
        my $multiple = 4;
        if ($num_sections <4) { $multiple = $num_sections; }
        $output .= '"multiple" size="'.$multiple.'">'."\n";
        foreach (@sections) {
            $output .= '<option value="'.$_.'">'.$_."</option>\n";
        }
    }
    $output .= '</select>'; 
    return $output;
}

sub course_level_dc {
    my ($dcdom) = @_;
    my %customroles=&my_custom_roles();
    my $hiddenitems = '<input type="hidden" name="dcdomain" value="'.$dcdom.'" />'.
                      '<input type="hidden" name="origdom" value="'.$dcdom.'" />'.
                      '<input type="hidden" name="dccourse" value="" />';
    my $courseform='<b>'.&Apache::loncommon::selectcourse_link
                     ('cu','dccourse','dcdomain','coursedesc').'</b>';
                                                                                      
    my $cb_jscript = &Apache::loncommon::coursebrowser_javascript($dcdom,$dcdom);
    my %lt=&Apache::lonlocal::texthash(
                    'crl'  => "Course Level",
                    'crt'  => "Course Title",
                    'rol'  => "Role",
                    'grs'  => "Group/Section",
                    'exs'  => "Existing sections",
                    'new'  => "Define new section", 
                    'sta'  => "Start",
                    'end'  => "End",
                    'ssd'  => "Set Start Date",
                    'sed'  => "Set End Date"
                  );
    my $header = '<h4>'.$lt{'crl'}.'</h4>'.
                 '<table border="2"><tr><th>'.$courseform.'</th><th>'.$lt{'rol'}.'</th><th>'.$lt{'grs'}.'</th><th>'.$lt{'sta'}.'</th><th>'.$lt{'end'}.'</th></tr>';
    my $otheritems = '<tr><td><input type="text" name="coursedesc" value="" onFocus="this.blur();opencrsbrowser('."'".'cu'."'".','."'".'dccourse'."'".','."'".'dcdomain'."'".','."'".'coursedesc'."',''".')" /></td>'.
                     '<td><select name="role">'."\n";
    foreach  ('st','ta','ep','ad','in','cc') {
        my $plrole=&Apache::lonnet::plaintext($_);
        $otheritems .= '  <option value="'.$_.'">'.$plrole;
    }
    if ( keys %customroles > 0) {
        foreach (sort keys %customroles) {
            my $custrole='cr_cr_'.$ENV{'user.domain'}.
                    '_'.$ENV{'user.name'}.'_'.$_;
            $otheritems .= '  <option value="'.$custrole.'">'.$_;
        }
    }
    $otheritems .= '</select></td><td>'.
                     '<table border="0" cellspacing="0" cellpadding="0">'.
                     '<tr><td valign="top"><b>'.$lt{'exs'}.'</b><br /><select name="currsec">'.
                     ' <option value=""><--'.&mt('Pick course first').'</select></td>'.
                     '<td>&nbsp;&nbsp;</td>'.
                     '<td valign="top">&nbsp;<b>'.$lt{'new'}.'</b><br />'.
                     '<input type="text" name="newsec" value="" /></td>'.
                     '</tr></table></td>';
    $otheritems .= <<ENDTIMEENTRY;
<td><input type=hidden name="start" value=''>
<a href=
"javascript:pjump('date_start','Start Date',document.cu.start.value,'start','cu.pres','dateset')">$lt{'ssd'}</a></td>
<td><input type=hidden name="end" value=''>
<a href=
"javascript:pjump('date_end','End Date',document.cu.end.value,'end','cu.pres','dateset')">$lt{'sed'}</a></td>
ENDTIMEENTRY
    $otheritems .= "</tr></table>\n";
    return $cb_jscript.$header.$hiddenitems.$otheritems;
}

#---------------------------------------------- end functions for &phase_two

#--------------------------------- functions for &phase_two and &phase_three

#--------------------------end of functions for &phase_two and &phase_three

1;
__END__