--- loncom/lond	2004/10/11 10:58:28	1.260
+++ loncom/lond	2004/10/18 10:13:46	1.261
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # lond "LON Daemon" Server (port "LOND" 5663)
 #
-# $Id: lond,v 1.260 2004/10/11 10:58:28 foxr Exp $
+# $Id: lond,v 1.261 2004/10/18 10:13:46 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -57,7 +57,7 @@ my $DEBUG = 0;		       # Non zero to ena
 my $status='';
 my $lastlog='';
 
-my $VERSION='$Revision: 1.260 $'; #' stupid emacs
+my $VERSION='$Revision: 1.261 $'; #' stupid emacs
 my $remoteVERSION;
 my $currenthostid="default";
 my $currentdomainid;
@@ -1806,9 +1806,25 @@ sub change_authentication_handler {
 	chomp($npass);
 	
 	$npass=&unescape($npass);
+	my $oldauth = &get_auth_type($udom, $uname); # Get old auth info.
 	my $passfilename = &password_path($udom, $uname);
 	if ($passfilename) {	# Not allowed to create a new user!!
 	    my $result=&make_passwd_file($uname, $umode,$npass,$passfilename);
+	    #
+	    #  If the current auth mode is internal, and the old auth mode was
+	    #  unix, or krb*,  and the user is an author for this domain,
+	    #  re-run manage_permissions for that role in order to be able
+	    #  to take ownership of the construction space back to www:www
+	    #
+
+	    if( ($oldauth =~ /^unix/) && ($umode eq "internal")) { # unix -> internal
+		if(&is_author($udom, $uname)) {
+		    &Debug(" Need to manage author permissions...");
+		    &manage_permissions("/$udom/_au", $udom, $uname, "internal:");
+		}
+	    }
+	       
+
 	    &Reply($client, $result, $userinput);
 	} else {	       
 	    &Failure($client, "non_authorized\n", $userinput); # Fail the user now.
@@ -2445,12 +2461,12 @@ sub roles_put_handler {
     #  is done on close this improves the chances the log will be an un-
     #  corrupted ordered thing.
     if ($hashref) {
+	my $pass_entry = &get_auth_type($udom, $uname);
+	my ($auth_type,$pwd)  = split(/:/, $pass_entry);
+	$auth_type = $auth_type.":";
 	my @pairs=split(/\&/,$what);
 	foreach my $pair (@pairs) {
 	    my ($key,$value)=split(/=/,$pair);
-	    my $pass_entry = &get_auth_type($udom, $uname);
-	    my ($auth_type,$pwd)  = split(/:/, $pass_entry);
-	    $auth_type = $auth_type.":";
 	    &manage_permissions($key, $udom, $uname,
 			       $auth_type);
 	    $hashref->{$key}=$value;
@@ -4925,8 +4941,35 @@ sub make_new_child {
     exit;
     
 }
+#
+#   Determine if a user is an author for the indicated domain.
+#
+# Parameters:
+#    domain          - domain to check in .
+#    user            - Name of user to check.
+#
+# Return:
+#     1             - User is an author for domain.
+#     0             - User is not an author for domain.
+sub is_author {
+    my ($domain, $user) = @_;
+
+    &Debug("is_author: $user @ $domain");
+
+    my $hashref = &tie_user_hash($domain, $user, "roles",
+				 &GDBM_READER());
+
+    #  Author role should show up as a key /domain/_au
 
+    my $key   = "/$domain/_au";
+    my $value = $hashref->{$key};
 
+    if(defined($value)) {
+	&Debug("$user @ $domain is an author");
+    }
+
+    return defined($value);
+}
 #
 #   Checks to see if the input roleput request was to set
 # an author role.  If so, invokes the lchtmldir script to set
@@ -4941,13 +4984,17 @@ sub make_new_child {
 sub manage_permissions
 {
 
+
     my ($request, $domain, $user, $authtype) = @_;
 
+    &Debug("manage_permissions: $request $domain $user $authtype");
+
     # See if the request is of the form /$domain/_au
     if($request =~ /^(\/$domain\/_au)$/) { # It's an author rolesput...
 	my $execdir = $perlvar{'lonDaemons'};
 	my $userhome= "/home/$user" ;
 	&logthis("system $execdir/lchtmldir $userhome $user $authtype");
+	&Debug("Setting homedir permissions for $userhome");
 	system("$execdir/lchtmldir $userhome $user $authtype");
     }
 }
@@ -5392,7 +5439,11 @@ sub make_passwd_file {
     if ($umode eq 'krb4' or $umode eq 'krb5') {
 	{
 	    my $pf = IO::File->new(">$passfilename");
-	    print $pf "$umode:$npass\n";
+	    if ($pf) {
+		print $pf "$umode:$npass\n";
+	    } else {
+		$result = "pass_file_failed_error";
+	    }
 	}
     } elsif ($umode eq 'internal') {
 	my $salt=time;
@@ -5401,12 +5452,20 @@ sub make_passwd_file {
 	{
 	    &Debug("Creating internal auth");
 	    my $pf = IO::File->new(">$passfilename");
-	    print $pf "internal:$ncpass\n"; 
+	    if($pf) {
+		print $pf "internal:$ncpass\n"; 
+	    } else {
+		$result = "pass_file_failed_error";
+	    }
 	}
     } elsif ($umode eq 'localauth') {
 	{
 	    my $pf = IO::File->new(">$passfilename");
-	    print $pf "localauth:$npass\n";
+	    if($pf) {
+		print $pf "localauth:$npass\n";
+	    } else {
+		$result = "pass_file_failed_error";
+	    }
 	}
     } elsif ($umode eq 'unix') {
 	{
@@ -5445,13 +5504,21 @@ sub make_passwd_file {
 		$result = "lcuseradd_failed:$error_text\n";
 	    }  else {
 		my $pf = IO::File->new(">$passfilename");
-		print $pf "unix:\n";
+		if($pf) {
+		    print $pf "unix:\n";
+		} else {
+		    $result = "pass_file_failed_error";
+		}
 	    }
 	}
     } elsif ($umode eq 'none') {
 	{
 	    my $pf = IO::File->new("> $passfilename");
-	    print $pf "none:\n";
+	    if($pf) {
+		print $pf "none:\n";
+	    } else {
+		$result = "pass_file_failed_error";
+	    }
 	}
     } else {
 	$result="auth_mode_error\n";