--- loncom/interface/lonuserutils.pm	2017/08/11 00:24:53	1.188
+++ loncom/interface/lonuserutils.pm	2017/11/04 20:59:39	1.193
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Utility functions for managing LON-CAPA user accounts
 #
-# $Id: lonuserutils.pm,v 1.188 2017/08/11 00:24:53 raeburn Exp $
+# $Id: lonuserutils.pm,v 1.193 2017/11/04 20:59:39 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1127,8 +1127,15 @@ sub print_upload_manager_form {
     if (!$env{'form.datatoken'}) {
         $datatoken=&Apache::loncommon::upfile_store($r);
     } else {
-        $datatoken=$env{'form.datatoken'};
-        &Apache::loncommon::load_tmp_file($r);
+        $datatoken=&Apache::loncommon::valid_datatoken($env{'form.datatoken'});
+        if ($datatoken ne '') {
+            &Apache::loncommon::load_tmp_file($r,$datatoken);
+        }
+    }
+    if ($datatoken eq '') {
+        $r->print('<p class="LC_error">'.&mt('Error').': '.
+                  &mt('Invalid datatoken').'</p>');
+        return 'missingdata';
     }
     my @records=&Apache::loncommon::upfile_record_sep();
     if($env{'form.noFirstLine'}){
@@ -1212,6 +1219,7 @@ sub print_upload_manager_form {
     }
     &print_upload_manager_footer($r,$i,$keyfields,$defdom,$today,$halfyear,
                                  $context,$permission,$crstype,$showcredits);
+    return 'ok';
 }
 
 sub setup_date_selectors {
@@ -4114,7 +4122,10 @@ sub print_first_users_upload_form {
 # ================================================= Drop/Add from uploaded file
 sub upfile_drop_add {
     my ($r,$context,$permission,$showcredits) = @_;
-    &Apache::loncommon::load_tmp_file($r);
+    my $datatoken = &Apache::loncommon::valid_datatoken($env{'form.datatoken'});
+    if ($datatoken ne '') {
+        &Apache::loncommon::load_tmp_file($r,$datatoken);
+    }
     my @userdata=&Apache::loncommon::upfile_record_sep();
     if($env{'form.noFirstLine'}){shift(@userdata);}
     my @keyfields = split(/\,/,$env{'form.keyfields'});
@@ -4128,10 +4139,6 @@ sub upfile_drop_add {
             $fields{$env{'form.f'.$i}}=$keyfields[$i];
         }
     }
-    if ($env{'form.fullup'} ne 'yes') {
-        $r->print('<form name="studentform" method="post" action="/adm/createuser">'."\n".
-                  '<input type="hidden" name="action" value="'.$env{'form.action'}.'" />');
-    }
     #
     # Store the field choices away
     my @storefields = qw/username names fname mname lname gen id 
@@ -4169,39 +4176,43 @@ sub upfile_drop_add {
     my $domain;
     if ($env{'form.defaultdomain'} ne '') {
         if (($context eq 'course') || ($setting eq 'course')) {
-            unless ($env{'form.defaultdomain'} eq $crsdom) {
+            if ($env{'form.defaultdomain'} eq $crsdom) {
+                $domain = $env{'form.defaultdomain'};
+            } else {
                 if (&Apache::lonnet::will_trust('enroll',$crsdom,$env{'form.defaultdomain'})) {
                     $domain = $env{'form.defaultdomain'};
                 } else {
-                    $r->print('<span class="LC_error">'.&mt('Error').
+                    $r->print('<span class="LC_error">'.&mt('Error').': '.
                               &mt('Enrollment of users not permitted for specified default domain: [_1].',
                                   &Apache::lonnet::domain($env{'form.defaultdomain'},'description')).'</span>');
-                    $r->print(&Apache::loncommon::end_page());
+                    return 'untrusted';
                 }
-                return;
             }
         } elsif ($context eq 'author') {
-            unless ($env{'form.defaultdomain'} eq $defdom) {
+            if ($env{'form.defaultdomain'} eq $defdom) {
+                $domain = $env{'form.defaultdomain'}; 
+            } else {
                 if ((&Apache::lonnet::will_trust('othcoau',$defdom,$env{'form.defaultdomain'})) &&
                     (&Apache::lonnet::will_trust('coaurem',$env{'form.defaultdomain'},$defdom))) {
                     $domain = $env{'form.defaultdomain'};
                 } else {
-                    $r->print('<span class="LC_error">'.&mt('Error').
+                    $r->print('<span class="LC_error">'.&mt('Error').': '.
                               &mt('Addition of users not permitted for specified default domain: [_1].',
                                   &Apache::lonnet::domain($env{'form.defaultdomain'},'description')).'</span>');
-                    $r->print(&Apache::loncommon::end_page());
+                    return 'untrusted';
                 }
-                return; 
             }
         } elsif (($context eq 'domain') && ($setting eq 'domain')) {
-            unless ($env{'form.defaultdomain'} eq $defdom) {
+            if ($env{'form.defaultdomain'} eq $defdom) {
+                $domain = $env{'form.defaultdomain'};
+            } else {
                 if (&Apache::lonnet::will_trust('domroles',$defdom,$env{'form.defaultdomain'})) {
                     $domain = $env{'form.defaultdomain'};
                 } else {
-                    $r->print('<span class="LC_error">'.&mt('Error').
+                    $r->print('<span class="LC_error">'.&mt('Error').': '.
                               &mt('Addition of users not permitted for specified default domain: [_1].',
                                   &Apache::lonnet::domain($env{'form.defaultdomain'},'description')).'</span>');
-                    $r->print(&Apache::loncommon::end_page());
+                    return 'untrusted';
                 }
             }
         }
@@ -4214,10 +4225,9 @@ sub upfile_drop_add {
     } else {
         my %home_servers = &Apache::lonnet::get_servers($defdom,'library');
         if (! exists($home_servers{$desiredhost})) {
-            $r->print('<span class="LC_error">'.&mt('Error').
-                      &mt('Invalid home server specified').'</span>');
-            $r->print(&Apache::loncommon::end_page());
-            return;
+            $r->print('<p class="LC_error">'.&mt('Error').': '.
+                      &mt('Invalid home server specified').'</p>');
+            return 'invalidhome';
         }
     }
     # Determine authentication mechanism
@@ -4317,6 +4327,11 @@ sub upfile_drop_add {
             }
         }
     }
+    if ($datatoken eq '') {
+        $r->print('<p class="LC_error">'.&mt('Error').': '.
+                  &mt('Invalid datatoken').'</p>');
+        return 'missingdata';
+    }
     if ( $domain eq &LONCAPA::clean_domain($domain)
         && ($amode ne '')) {
         #######################################
@@ -4892,7 +4907,9 @@ sub upfile_drop_add {
                   "</p>\n");
         if ($counts{'role'} > 0) {
             $r->print("<p>\n".
-                      &mt('Roles added for [quant,_1,user].',$counts{'role'}).' '.&mt('If a user is currently logged-in to LON-CAPA, any new roles which are active will be available when the user next logs in.')."</p>\n");
+                      &mt('Roles added for [quant,_1,user].',$counts{'role'}).' '.
+                      &mt('If a user is currently logged-in to LON-CAPA, any new roles which are active will be available when the user next logs in.').
+                      "</p>\n");
         } else {
             $r->print('<p>'.&mt('No roles added').'</p>');
         }
@@ -4910,10 +4927,9 @@ sub upfile_drop_add {
             #  Get current classlist
             my $classlist = &Apache::loncoursedata::get_classlist();
             if (! defined($classlist)) {
-                $r->print('<form name="studentform" method="post" action="/adm/createuser">'.
-                          '<input type="hidden" name="action" value="'.$env{'form.action'}.'" />'.
-                          '<p class="LC_info">'.&mt('There are no students with current/future access to the course.').'</p>'.
-                          '</form>'."\n");
+                $r->print('<p class="LC_info">'.
+                          &mt('There are no students with current/future access to the course.').
+                          '</p>'."\n");
             } elsif (ref($classlist) eq 'HASH') {
                 # Remove the students we just added from the list of students.
                 foreach my $line (@userdata) {
@@ -4929,9 +4945,7 @@ sub upfile_drop_add {
             }
         }
     } # end of unless
-    if ($env{'form.fullup'} ne 'yes') {
-        $r->print('</form>');
-    }
+    return 'ok';
 }
 
 sub print_namespacing_alerts {