--- loncom/interface/loncreateuser.pm	2007/12/07 23:09:30	1.204
+++ loncom/interface/loncreateuser.pm	2007/12/14 17:35:52	1.210
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Create a user
 #
-# $Id: loncreateuser.pm,v 1.204 2007/12/07 23:09:30 raeburn Exp $
+# $Id: loncreateuser.pm,v 1.210 2007/12/14 17:35:52 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -76,7 +76,7 @@ my $authformfsys;
 my $authformloc;
 
 sub initialize_authen_forms {
-    my ($dom,$curr_authtype) = @_; 
+    my ($dom,$curr_authtype,$mode) = @_; 
     my ($krbdefdom)=( $ENV{'SERVER_NAME'}=~/(\w+\.\w+)$/);
     $krbdefdom= uc($krbdefdom);
     my %param = ( formname => 'document.cu',
@@ -91,6 +91,9 @@ sub initialize_authen_forms {
         if ($long_auth =~ /^krb(4|5)$/) {
             $param{'curr_kerb_ver'} = $1;
         }
+        if ($mode eq 'modifyuser') {
+            $param{'mode'} = $mode;
+        }
     }
 # no longer static due to configurable kerberos defaults
 #    $loginscript  = &Apache::loncommon::authform_header(%param);
@@ -112,15 +115,6 @@ sub auth_abbrev {
     return %abv_auth;
 }
 
-# ==================================================== Figure out author access
-
-sub authorpriv {
-    my ($auname,$audom)=@_;
-    unless ((&Apache::lonnet::allowed('cca',$audom.'/'.$auname))
-         || (&Apache::lonnet::allowed('caa',$audom.'/'.$auname))) { return ''; }
-    return 1;
-}
-
 # ====================================================
 
 sub portfolio_quota {
@@ -206,12 +200,14 @@ END_SCRIPT
 # =================================================================== Phase one
 
 sub print_username_entry_form {
-    my ($r,$response,$srch,$forcenewuser) = @_;
+    my ($r,$context,$response,$srch,$forcenewuser) = @_;
     my $defdom=$env{'request.role.domain'};
     my $formtoset = 'crtuser';
     if (exists($env{'form.startrolename'})) {
         $formtoset = 'docustom';
         $env{'form.rolename'} = $env{'form.startrolename'};
+    } elsif ($env{'form.origform'} eq 'crtusername') {
+        $formtoset =  $env{'form.origform'};
     }
 
     my ($jsback,$elements) = &crumb_utilities();
@@ -249,7 +245,7 @@ sub print_username_entry_form {
                     'ecrp' => "Edit Custom Role Privileges",
                     'nr'   => "Name of Role",
                     'cre'  => "Custom Role Editor",
-                    'mod'  => "to add/modify roles",
+                    'mod'  => "to edit user information or add/modify roles",
 				       );
     my $help = &Apache::loncommon::help_open_menu(undef,undef,282,'Instructor Interface');
     my $helpsiur=&Apache::loncommon::help_open_topic('Course_Change_Privileges');
@@ -263,7 +259,7 @@ sub print_username_entry_form {
         $r->print("
 <h3>$lt{'srch'} $sellink $lt{'mod'}$helpsiur</h3>
 $response");
-        $r->print(&entry_form($defdom,$srch,$forcenewuser));
+        $r->print(&entry_form($defdom,$srch,$forcenewuser,$context));
     } elsif ($env{'form.action'} eq 'custom') {
         if (&Apache::lonnet::allowed('mcr','/')) {
             $r->print(<<ENDCUSTOM);
@@ -281,19 +277,55 @@ ENDCUSTOM
 }
 
 sub entry_form {
-    my ($dom,$srch,$forcenewuser) = @_;
+    my ($dom,$srch,$forcenewuser,$context) = @_;
+    my %domconf = &Apache::lonnet::get_dom('configuration',['usercreation'],$dom);
+    my $cancreate = &Apache::lonuserutils::can_create_user($dom,$context);
+    if (!$cancreate) {
+        $forcenewuser = '';
+    }
     my $userpicker = 
        &Apache::loncommon::user_picker($dom,$srch,$forcenewuser,
                                        'document.crtuser');
     my $srchbutton = &mt('Search');
-    my $output = <<"ENDDOCUMENT";
+    my $output = <<"ENDBLOCK";
 <form action="/adm/createuser" method="post" name="crtuser">
 <input type="hidden" name="action" value="$env{'form.action'}" />
 <input type="hidden" name="phase" value="get_user_info" />
 $userpicker
 <input name="userrole" type="button" value="$srchbutton" onclick="javascript:validateEntry(document.crtuser)" />
 </form>
+ENDBLOCK
+    if ($cancreate) {
+        my $defdom=$env{'request.role.domain'};
+        my $domform = &Apache::loncommon::select_dom_form($defdom,'srchdomain');
+        my $helpcrt=&Apache::loncommon::help_open_topic('Course_Change_Privileges');
+        my %lt=&Apache::lonlocal::texthash(
+                  'crnu' => 'Create a new user',
+                  'usr'  => 'Username',
+                  'dom'  => 'in domain',
+                  'cra'  => 'Create user',
+        );
+        $output .= <<"ENDDOCUMENT";
+<form action="/adm/createuser" method="post" name="crtusername">
+<input type="hidden" name="action" value="$env{'form.action'}" />
+<input type="hidden" name="phase" value="createnewuser" />
+<input type="hidden" name="srchtype" value="exact" />
+<input type="hidden" name="srchby" value="username" />
+<input type="hidden" name="srchin" value="dom" />
+<input type="hidden" name="forcenewuser" value="1" />
+<input type="hidden" name="origform" value="crtusername" />
+<h3>$lt{crnu}$helpcrt</h3>
+<table>
+ <tr>
+  <td>$lt{'usr'}:</td>
+  <td><input type="text" size="15" name="srchterm" /></td>
+  <td>&nbsp;$lt{'dom'}:</td><td>$domform</td>
+  <td>&nbsp;<input name="userrole" type="submit" value="$lt{'cra'}" /></td>
+ </tr>
+</table>
+</form>
 ENDDOCUMENT
+    }
     return $output;
 }
 
@@ -326,7 +358,7 @@ END
 
 # =================================================================== Phase two
 sub print_user_selection_page {
-    my ($r,$response,$srch,$srch_results,$operation,$srcharray) = @_;
+    my ($r,$response,$srch,$srch_results,$operation,$srcharray,$context) = @_;
     my @fields = ('username','domain','lastname','firstname','permanentemail');
     my $sortby = $env{'form.sortby'};
 
@@ -371,7 +403,7 @@ ENDSCRIPT
               faq=>282,bug=>'Instructor Interface',});
         $r->print(&Apache::lonhtmlcommon::breadcrumbs('User Management'));
         $r->print("<b>$lt{'usrch'}</b><br />");
-        $r->print(&entry_form($srch->{'srchdomain'},$srch));
+        $r->print(&entry_form($srch->{'srchdomain'},$srch,undef,$context));
         $r->print('<h3>'.$lt{'usel'}.'</h3>');
     } else {
         $r->print($jscript."<b>$lt{'stusrch'}</b><br />");
@@ -443,7 +475,7 @@ sub print_user_modification_page {
     my ($r,$ccuname,$ccdomain,$srch,$response,$context) = @_;
     if (($ccuname eq '') || ($ccdomain eq '')) {
         my $usermsg = &mt('No username and/or domain provided.'); 
-	&print_username_entry_form($r,$usermsg);
+	&print_username_entry_form($r,$context,$usermsg);
         return;
     }
     my %abv_auth = &auth_abbrev();
@@ -471,7 +503,7 @@ sub print_user_modification_page {
                             $domdesc,$curr_rules{$ccdomain}{'username'},
                             'username');
                     }
-                    &print_username_entry_form($r,$userchkmsg);
+                    &print_username_entry_form($r,$context,$userchkmsg);
                     return;
                 } 
             }
@@ -704,9 +736,11 @@ $loginscript
 <input type='hidden' name='makeuser' value='1' />
 <h2>$lt{'cnu'} "$ccuname" $lt{'ind'} $ccdomain</h2>
 ENDTITLE
-        $r->print('<div class="LC_left_float">'.
-                  &personal_data_display($ccuname,$ccdomain,$newuser,
-                                         %inst_results));
+        $r->print('<div class="LC_left_float">');
+        my $personal_table = 
+            &personal_data_display($ccuname,$ccdomain,$newuser,$context,
+                                   $inst_results{$ccuname.':'.$ccdomain});
+        $r->print($personal_table);
         my ($home_server_pick,$numlib) = 
             &Apache::loncommon::home_server_form_item($ccdomain,'hserver',
                                                       'default','hide');
@@ -783,10 +817,12 @@ $crumbs
 $forminfo
 <h2>$lt{'cup'} "$ccuname" $lt{'id'} "$ccdomain"</h2>
 ENDCHANGEUSER
-        $r->print('<div class="LC_left_float">'.
-                  &personal_data_display($ccuname,$ccdomain,$newuser,
-                                         %inst_results));
-        if ($context eq 'domain') {
+        $r->print('<div class="LC_left_float">');
+        my ($personal_table,$showforceid) = 
+            &personal_data_display($ccuname,$ccdomain,$newuser,$context,
+                                   $inst_results{$ccuname.':'.$ccdomain});
+        $r->print($personal_table);
+        if ($showforceid) {
             $r->print(&Apache::lonuserutils::forceid_change($context));
         }
         $r->print('</div>');
@@ -925,7 +961,7 @@ ENDNOPORTPRIV
                }
                if (($role_code eq 'ca') || ($role_code eq 'aa')) {
                    $area=~m{/($match_domain)/($match_username)};
-		   if (&authorpriv($2,$1)) {
+		   if (&Apache::lonuserutils::authorpriv($2,$1)) {
 		       $allowed=1;
                    } else {
                        $allowed=0;
@@ -1018,7 +1054,8 @@ ENDNOPORTPRIV
 #
 # Co-Author
 # 
-    if (&authorpriv($env{'user.name'},$env{'request.role.domain'}) &&
+    if (&Apache::lonuserutils::authorpriv($env{'user.name'},
+                                          $env{'request.role.domain'}) &&
         ($env{'user.name'} ne $ccuname || $env{'user.domain'} ne $ccdomain)) {
         # No sense in assigning co-author role to yourself
         $addrolesdisplay = 1;
@@ -1069,7 +1106,8 @@ ENDNOPORTPRIV
          &Apache::loncommon::end_data_table_row()."\n".
          &Apache::loncommon::end_data_table());
     } elsif ($env{'request.role'} =~ /^au\./) {
-        if (!(&authorpriv($env{'user.name'},$env{'request.role.domain'}))) {
+        if (!(&Apache::lonuserutils::authorpriv($env{'user.name'},
+                                                $env{'request.role.domain'}))) {
             $r->print('<span class="LC_error">'.
                       &mt('You do not have privileges to assign co-author roles.').
                       '</span>');
@@ -1197,12 +1235,8 @@ $lt{'uuas'} ($currentauth). $lt{'adcs'}.
 ENDBADAUTH
         }
     } else { # Authentication type is valid
-        &initialize_authen_forms($ccdomain,$currentauth);
-        my $authformnop_row;      
-        if (&Apache::lonnet::allowed('mau',$ccdomain)) {
-            $authformnop_row = &Apache::loncommon::start_data_table_row();
-        }
-        my ($authformcurrent,$authform_other,$can_modify) =
+        &initialize_authen_forms($ccdomain,$currentauth,'modifyuser');
+        my ($authformcurrent,$can_modify,@authform_others) =
             &modify_login_block($ccdomain,$currentauth);
         if (&Apache::lonnet::allowed('mau',$ccdomain)) {
             # Current user has login modification privileges
@@ -1217,7 +1251,7 @@ ENDBADAUTH
                        '</script>'."\n".
                        '<h3>'.$lt{'ld'}.'</h3>'.
                        &Apache::loncommon::start_data_table().
-                       $authformnop_row.
+                       &Apache::loncommon::start_data_table_row().
                        '<td>'.$authformnop;
             if ($can_modify) {
                 $outcome .= '</td>'."\n".
@@ -1229,11 +1263,12 @@ ENDBADAUTH
                 $outcome .= '&nbsp;('.$authformcurrent.')</td>'.
                             &Apache::loncommon::end_data_table_row()."\n";
             }
-            if ($authform_other ne '') {
-                $outcome .= $authform_other;
+            foreach my $item (@authform_others) { 
+                $outcome .= &Apache::loncommon::start_data_table_row().
+                            '<td>'.$item.'</td>'.
+                            &Apache::loncommon::end_data_table_row()."\n";
             }
-            $outcome .= &Apache::loncommon::end_data_table_row().
-                        &Apache::loncommon::end_data_table();
+            $outcome .= &Apache::loncommon::end_data_table();
         } else {
             if (&Apache::lonnet::allowed('mau',$env{'request.role.domain'})) {
                 my %lt=&Apache::lonlocal::texthash(
@@ -1256,18 +1291,14 @@ sub modify_login_block {
     my %domconfig = &Apache::lonnet::get_dom('configuration',['usercreation'],$dom);
     my ($authnum,%can_assign) =
         &Apache::loncommon::get_assignable_auth($dom);
-    my ($authformcurrent,$authform_other,$show_override_msg);
+    my ($authformcurrent,@authform_others,$show_override_msg);
     if ($currentauth=~/^krb(4|5):/) {
         $authformcurrent=$authformkrb;
         if ($can_assign{'int'}) {
-            $authform_other = &Apache::loncommon::start_data_table_row().
-                              '<td>'.$authformint.'</td>'.
-                              &Apache::loncommon::end_data_table_row()."\n"
+            push(@authform_others,$authformint);
         }
         if ($can_assign{'loc'}) {
-            $authform_other .= &Apache::loncommon::start_data_table_row().
-                               '<td>'.$authformloc.'</td>'.
-                               &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformloc);
         }
         if (($can_assign{'krb4'}) || ($can_assign{'krb5'})) {
             $show_override_msg = 1;
@@ -1275,14 +1306,10 @@ sub modify_login_block {
     } elsif ($currentauth=~/^internal:/) {
         $authformcurrent=$authformint;
         if (($can_assign{'krb4'}) || ($can_assign{'krb5'})) {
-            $authform_other = &Apache::loncommon::start_data_table_row().
-                              '<td>'.$authformkrb.'</td>'.
-                              &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformkrb);
         }
         if ($can_assign{'loc'}) {
-            $authform_other .= &Apache::loncommon::start_data_table_row().
-                               '<td>'.$authformloc.'</td>'.
-                               &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformloc);
         }
         if ($can_assign{'int'}) {
             $show_override_msg = 1;
@@ -1290,19 +1317,13 @@ sub modify_login_block {
     } elsif ($currentauth=~/^unix:/) {
         $authformcurrent=$authformfsys;
         if (($can_assign{'krb4'}) || ($can_assign{'krb5'})) {
-            $authform_other = &Apache::loncommon::start_data_table_row().
-                              '<td>'.$authformkrb.'</td>'.
-                              &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformkrb);
         }
         if ($can_assign{'int'}) {
-            $authform_other .= &Apache::loncommon::start_data_table_row().
-                               '<td>'.$authformint.'</td>'.
-                               &Apache::loncommon::end_data_table_row()."\n"
+            push(@authform_others,$authformint);
         }
         if ($can_assign{'loc'}) {
-            $authform_other .= &Apache::loncommon::start_data_table_row().
-                               '<td>'.$authformloc.'</td>'.
-                               &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformloc);
         }
         if ($can_assign{'fsys'}) {
             $show_override_msg = 1;
@@ -1310,35 +1331,38 @@ sub modify_login_block {
     } elsif ($currentauth=~/^localauth:/) {
         $authformcurrent=$authformloc;
         if (($can_assign{'krb4'}) || ($can_assign{'krb5'})) {
-            $authform_other = &Apache::loncommon::start_data_table_row().
-                              '<td>'.$authformkrb.'</td>'.
-                              &Apache::loncommon::end_data_table_row()."\n";
+            push(@authform_others,$authformkrb);
         }
         if ($can_assign{'int'}) {
-            $authform_other .= &Apache::loncommon::start_data_table_row().
-                               '<td>'.$authformint.'</td>'.
-                               &Apache::loncommon::end_data_table_row()."\n"
+            push(@authform_others,$authformint);
         }
         if ($can_assign{'loc'}) {
             $show_override_msg = 1;
         }
     }
     if ($show_override_msg) {
-        $authformcurrent.= ' <span class="LC_cusr_emph">'.
+        $authformcurrent = '<table><tr><td colspan="3">'.$authformcurrent.
+                           '</td></tr>'."\n".
+                           '<tr><td>&nbsp;&nbsp;&nbsp;</td>'.
+                           '<td><b>'.&mt('Currently in use').'</b></td>'.
+                           '<td align="right"><span class="LC_cusr_emph">'.
                             &mt('will override current values').
-                            '</span><br />';
+                            '</span></td></tr></table>';
     }
-    return ($authformcurrent,$authform_other,$show_override_msg); 
+    return ($authformcurrent,$show_override_msg,@authform_others); 
 }
 
 sub personal_data_display {
-    my ($ccuname,$ccdomain,$newuser,%inst_results) = @_; 
-    my ($output,%userenv);
+    my ($ccuname,$ccdomain,$newuser,$context,$inst_results) = @_;
+    my ($output,$showforceid,%userenv,%domconfig);
     if (!$newuser) {
         # Get the users information
         %userenv = &Apache::lonnet::get('environment',
                    ['firstname','middlename','lastname','generation',
                     'permanentemail','id'],$ccdomain,$ccuname);
+        %domconfig =
+            &Apache::lonnet::get_dom('configuration',['usermodification'],
+                                     $ccdomain);
     }
     my %lt=&Apache::lonlocal::texthash(
                 'pd'             => "Personal Data",
@@ -1370,27 +1394,57 @@ sub personal_data_display {
         }
         $output .= &Apache::lonhtmlcommon::row_title($rowtitle,undef,'LC_oddrow_value')."\n";
         if ($newuser) {
-            if ($inst_results{$item} ne '') {
-                $output .= '<input type="hidden" name="c'.$item.'" value="'.$inst_results{$item}.'" />'.$inst_results{$item};
+            if (ref($inst_results) eq 'HASH') {
+                if ($inst_results->{$item} ne '') {
+                    $output .= '<input type="hidden" name="c'.$item.'" value="'.$inst_results->{$item}.'" />'.$inst_results->{$item};
+                } else {
+                    $output .= '<input type="text" name="c'.$item.'" size="'.$textboxsize{$item}.'" value="" />';
+                }
             } else {
                 $output .= '<input type="text" name="c'.$item.'" size="'.$textboxsize{$item}.'" value="" />';
             }
         } else {
+            my $canmodify = 0;
             if (&Apache::lonnet::allowed('mau',$ccdomain)) {
+                $canmodify = 1;
+            } else {
+                if (ref($domconfig{'usermodification'}) eq 'HASH') {
+                    if (ref($domconfig{'usermodification'}{$context}) eq 'HASH') {
+                        foreach my $key (keys(%{$domconfig{'usermodification'}{$context}})) {
+                            if (ref($domconfig{'usermodification'}{$context}{$key}) eq 'HASH') {
+                                if ($domconfig{'usermodification'}{$context}{$key}{$item}) { 
+                                    $canmodify = 1;
+                                    last;
+                                }
+                            }
+                        }
+                    }
+                } elsif ($context eq 'course') {
+                    $canmodify = 1;
+                }
+            }
+            if ($canmodify) {
                 $output .= '<input type="text" name="c'.$item.'" size="'.$textboxsize{$item}.'" value="'.$userenv{$item}.'" />';
             } else {
                 $output .= $userenv{$item};
             }
+            if ($item eq 'id') {
+                $showforceid = $canmodify; 
+            } 
         }
         $output .= &Apache::lonhtmlcommon::row_closure(1);
     }
     $output .= &Apache::lonhtmlcommon::end_pick_box();
-    return $output;
+    if (wantarray) {
+        return ($output,$showforceid);
+    } else {
+        return $output;
+    }
 }
 
 # ================================================================= Phase Three
 sub update_user_data {
-    my ($r) = @_; 
+    my ($r,$context) = @_; 
     my $uhome=&Apache::lonnet::homeserver($env{'form.ccuname'},
                                           $env{'form.ccdomain'});
     # Error messages
@@ -1588,10 +1642,116 @@ sub update_user_data {
         if ($tmp =~ /^(con_lost|error)/i) { 
             %userenv = ();
         }
-        # Check to see if we need to change user information
+        my $no_forceid_alert;
+        # Check to see if user information can be changed
+        my %domconfig =
+            &Apache::lonnet::get_dom('configuration',['usermodification'],
+                                     $env{'form.ccdomain'});
+        my @roletypes = ('active','future');
+        my %roles = &Apache::lonnet::get_my_roles($env{'form.ccuname'},$env{'form.ccdomain'},'userroles',\@roletypes,undef,$env{'request.role.domain'});
+        my @userroles;
+        my ($cnum,$cdom,$auname,$audom);
+        if ($context eq 'course') {
+            $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
+            $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
+            if ($cnum eq '' || $cdom eq '') {
+                my $cid = $env{'request.course.id'};
+                my %coursehash =
+                     &Apache::lonnet::coursedescription($cid,{'one_time' => 1});
+                $cdom = $coursehash{'domain'};
+                $cnum = $coursehash{'num'};
+            } 
+        } elsif ($context eq 'author') {
+            $auname = $env{'user.name'};
+            $audom = $env{'user.domain'};     
+        }
+        foreach my $item (keys(%roles)) {
+            my ($rolenum,$roledom,$role) = split(/:/,$item);
+            if ($context eq 'course') {
+                if ($cnum ne '' && $cdom ne '') {
+                    if ($rolenum eq $cnum && $roledom eq $cdom) {
+                        if (!grep(/^\Q$role\E$/,@userroles)) {
+                            push(@userroles,$role);
+                        }
+                    }
+                }
+            } elsif ($context eq 'author') {
+                if ($rolenum eq $auname && $roledom eq $audom) {
+                    if (!grep(/^\Q$role\E$/,@userroles)) { 
+                        push(@userroles,$role);
+                    }
+                }
+            }
+        }
+        # Check for course or co-author roles being activated or re-enabled
+        if ($context eq 'author' || $context eq 'course') {
+            foreach my $key (keys(%env)) {
+                if ($context eq 'author') {
+                    if ($key=~/^form\.act_\Q$audom\E_\Q$auname\E_([^_]+)/) {
+                        if (!grep(/^\Q$1\E$/,@userroles)) {
+                            push(@userroles,$1);
+                        }
+                    } elsif ($key =~/^form\.ren\:\Q$audom\E\/\Q$auname\E_([^_]+)/) {
+                        if (!grep(/^\Q$1\E$/,@userroles)) {
+                            push(@userroles,$1);
+                        }
+                    }
+                } elsif ($context eq 'course') {
+                    if ($key=~/^form\.act_\Q$cdom\E_\Q$cnum\E_([^_]+)/) {
+                        if (!grep(/^\Q$1\E$/,@userroles)) {
+                            push(@userroles,$1);
+                        }
+                    } elsif ($key =~/^form\.ren\:\Q$cdom\E\/\Q$cnum\E(\/?\w*)_([^_]+)/) {
+                        if (!grep(/^\Q$1\E$/,@userroles)) {
+                            push(@userroles,$1);
+                        }
+                    }
+                }
+            }
+        }
+        #Check to see if we can change personal data for the user 
+        my (@mod_disallowed,@longroles);
+        foreach my $role (@userroles) {
+            if ($role eq 'cr') {
+                push(@longroles,'Custom');
+            } else {
+                push(@longroles,&Apache::lonnet::plaintext($role)); 
+            }
+        }
         foreach my $item ('firstname','middlename','lastname','generation','permanentemail','id') {
+            my $canmodify = 0;
+            if (&Apache::lonnet::allowed('mau',$env{'form.ccdomain'})) {
+                $canmodify = 1;
+            } else {
+                if ($context eq 'course' || $context eq 'author') {
+                    if (ref($domconfig{'usermodification'}) eq 'HASH') {
+                        if (ref($domconfig{'usermodification'}{$context}) eq 'HASH') {
+                            foreach my $role (@userroles) {
+                                if (ref($domconfig{'usermodification'}{$context}{$role}) eq 'HASH') {
+                                    if ($domconfig{'usermodification'}{$context}{$role}{$item}) {
+                                        $canmodify = 1;
+                                        last;
+                                    }
+                                }
+                            }
+                        }
+                    }
+                } elsif ($context eq 'course') {
+                    if (grep(/^st$/,@userroles)) {
+                        $canmodify = 1;
+                    }
+                }
+            }
             # Strip leading and trailing whitespace
             $env{'form.c'.$item} =~ s/(\s+$|^\s+)//g;
+            if (!$canmodify) {
+                if (defined($env{'form.c'.$item})) {
+                    if ($env{'form.c'.$item} ne $userenv{$item}) {
+                        push(@mod_disallowed,$item);
+                    }
+                }
+                $env{'form.c'.$item} = $userenv{$item};
+            }
         }
         # Check to see if we can change the ID/student number
         my $forceid = $env{'form.forceid'};
@@ -1605,6 +1765,7 @@ sub update_user_data {
             (!$forceid)) {
             if ($env{'form.cid'} ne $uidhash{$env{'form.ccuname'}}) {
                 $env{'form.cid'} = $userenv{'id'};
+                $no_forceid_alert = &mt('New student/employeeID does not match existing ID for this user.').'<br />'.&mt('Change is not permitted without checking the \'Force ID change\' checkbox on the previous page.').'<br />'."\n";        
             }
         }
         if ($env{'form.cid'} ne $userenv{'id'}) {
@@ -1668,13 +1829,12 @@ sub update_user_data {
         if ($newisdefault) {
             $newdefquotatext = &get_defaultquota_text($settingstatus);
         }
-        if (&Apache::lonnet::allowed('mau',$env{'form.ccdomain'}) && 
-            ($env{'form.cfirstname'}  ne $userenv{'firstname'}  ||
-             $env{'form.cmiddlename'} ne $userenv{'middlename'} ||
-             $env{'form.clastname'}   ne $userenv{'lastname'}   ||
-             $env{'form.cgeneration'} ne $userenv{'generation'} ||
-             $env{'form.cid'} ne $userenv{'id'}                 ||
-             $env{'form.cpermanentemail'} ne $userenv{'permanentemail'} )) {
+        if ($env{'form.cfirstname'}  ne $userenv{'firstname'}  ||
+            $env{'form.cmiddlename'} ne $userenv{'middlename'} ||
+            $env{'form.clastname'}   ne $userenv{'lastname'}   ||
+            $env{'form.cgeneration'} ne $userenv{'generation'} ||
+            $env{'form.cid'} ne $userenv{'id'}                 ||
+            $env{'form.cpermanentemail'} ne $userenv{'permanentemail'} ) {
             $namechanged = 1;
         }
         if ($namechanged || $quotachanged) {
@@ -1752,7 +1912,7 @@ END
     <td>$newportfolioquota Mb $newdefquotatext </td>
 END
                 $r->print(&Apache::loncommon::end_data_table_row().
-                          &Apache::loncommon::end_data_table());
+                          &Apache::loncommon::end_data_table().'<br />');
                 if ($env{'form.cid'} ne $userenv{'id'}) {
                     &Apache::lonnet::idput($env{'form.ccdomain'},
                          ($env{'form.ccuname'} => $env{'form.cid'}));
@@ -1783,7 +1943,7 @@ END
             } else { # error occurred
                 $r->print('<span class="LC_error">'.&mt('Unable to successfully change environment for').' '.
                       $env{'form.ccuname'}.' '.&mt('in domain').' '.
-                      $env{'form.ccdomain'}.'</span>');
+                      $env{'form.ccdomain'}.'</span><br />');
             }
         }  else { # End of if ($env ... ) logic
             # They did not want to change the users name or quota but we can
@@ -1803,6 +1963,34 @@ END
             $r->print('<br />['.$lt{'disk'}.': '.$oldportfolioquota.' Mb '. 
                  $olddefquotatext.']</h4>');
         }
+        if (@mod_disallowed) {
+            my ($rolestr,$contextname);
+            if (@longroles > 0) {
+                $rolestr = join(', ',@longroles);
+            } else {
+                $rolestr = &mt('No roles');
+            }
+            if ($context eq 'course') {
+                $contextname = &mt('course');
+            } elsif ($context eq 'author') {
+                $contextname = &mt('co-author');
+            }
+            $r->print(&mt('The following fields were not updated: ').'<ul>');
+            my %fieldtitles = &Apache::loncommon::personal_data_fieldtitles();
+            foreach my $field (@mod_disallowed) {
+                $r->print('<li>'.$fieldtitles{$field}.'</li>'."\n"); 
+            }
+            $r->print('</ul>');
+            if (@mod_disallowed == 1) {
+                $r->print(&mt("You do not have the authority to change this field given the user's current set of active/future [_1] roles:",$contextname));
+            } else {
+                $r->print(&mt("You do not have the authority to change these fields given the user's current set of active/future [_1] roles:",$contextname));
+            }
+            $r->print('<span class="LC_cusr_emph">'.$rolestr.'</span><br />'.
+                      &mt('Contact your <a href="[_1]">helpdesk</a> for more information.',"javascript:helpMenu('display')").'<br />');
+        }
+        $r->print($no_forceid_alert.
+                  &Apache::lonuserutils::print_namespacing_alerts($env{'form.ccdomain'},\%alerts, \%curr_rules));
     }
     ##
     my $now=time;
@@ -2054,6 +2242,9 @@ sub update_result_form {
     foreach my $item ('srchby','srchin','srchtype','srchterm','srchdomain','ccuname','ccdomain') {
         $outcome .= '<input type="hidden" name="'.$item.'" value="'.$env{'form.'.$item}.'" />'."\n";
     }
+    if ($env{'form.origname'} ne '') {
+        $outcome .= '<input type="hidden" name="origname" value="'.$env{'form.origname'}.'" />'."\n";
+    }
     foreach my $item ('sortby','seluname','seludom') {
         if (exists($env{'form.'.$item})) {
             $outcome .= '<input type="hidden" name="'.$item.'" value="'.$env{'form.'.$item}.'" />'."\n";
@@ -2412,7 +2603,7 @@ sub handler {
     if ($env{'request.course.id'}) {
         $context = 'course';
     } elsif ($env{'request.role'} =~ /^au\./) {
-        $context = 'construction_space';
+        $context = 'author';
     } else {
         $context = 'domain';
     }
@@ -2424,7 +2615,8 @@ sub handler {
             ({href=>"/adm/createuser",
               text=>"User Management"});
     }
-    my ($permission,$allowed) = &get_permission($context);
+    my ($permission,$allowed) = 
+        &Apache::lonuserutils::get_permission($context);
     if (!$allowed) {
         $env{'user.error.msg'}=
             "/adm/createuser:cst:0:0:Cannot create/modify user data ".
@@ -2439,7 +2631,7 @@ sub handler {
     if (! exists($env{'form.action'})) {
         $r->print(&header());
         $r->print(&Apache::lonhtmlcommon::breadcrumbs('User Management'));
-        $r->print(&print_main_menu($permission));
+        $r->print(&print_main_menu($permission,$context));
         $r->print(&Apache::loncommon::end_page());
     } elsif ($env{'form.action'} eq 'upload' && $permission->{'cusr'}) {
         $r->print(&header());
@@ -2487,8 +2679,20 @@ sub handler {
 	    $srch->{$item} = $env{'form.'.$item};
 	}
 
-        if (($phase eq 'get_user_info') || ($phase eq 'userpicked')) {
-            if ($env{'form.phase'} eq 'get_user_info') {
+        if (($phase eq 'get_user_info') || ($phase eq 'userpicked') ||
+            ($phase eq 'createnewuser')) {
+            if ($env{'form.phase'} eq 'createnewuser') {
+                my $response;
+                if ($env{'form.srchterm'} !~ /^$match_username$/) {
+                    my $response = &mt('You must specify a valid username. Only the following are allowed: letters numbers - . @');
+                    &print_username_entry_form($r,$context,$response,$srch);
+                } else {
+                    my $ccuname =&LONCAPA::clean_username($srch->{'srchterm'});
+                    my $ccdomain=&LONCAPA::clean_domain($srch->{'srchdomain'});
+                    &print_user_modification_page($r,$ccuname,$ccdomain,
+                                                  $srch,$response,$context);
+                }
+            } elsif ($env{'form.phase'} eq 'get_user_info') {
                 my ($currstate,$response,$forcenewuser,$results) = 
                     &user_search_result($srch);
                 if ($env{'form.currstate'} eq 'modify') {
@@ -2496,7 +2700,7 @@ sub handler {
                 }
                 if ($currstate eq 'select') {
                     &print_user_selection_page($r,$response,$srch,$results,
-                                               'createuser',\@search);
+                                               'createuser',\@search,$context);
                 } elsif ($currstate eq 'modify') {
                     my ($ccuname,$ccdomain);
                     if (($srch->{'srchby'} eq 'uname') && 
@@ -2517,7 +2721,7 @@ sub handler {
                 } elsif ($currstate eq 'query') {
                     &print_user_query_page($r,'createuser');
                 } else {
-                    &print_username_entry_form($r,$response,$srch,
+                    &print_username_entry_form($r,$context,$response,$srch,
                                                $forcenewuser);
                 }
             } elsif ($env{'form.phase'} eq 'userpicked') {
@@ -2527,9 +2731,9 @@ sub handler {
                                               $context);
             }
         } elsif ($env{'form.phase'} eq 'update_user_data') {
-            &update_user_data($r);
+            &update_user_data($r,$context);
         } else {
-            &print_username_entry_form($r,undef,$srch);
+            &print_username_entry_form($r,$context,undef,$srch);
         }
     } elsif ($env{'form.action'} eq 'custom' && $permission->{'custom'}) {
         if ($env{'form.phase'} eq 'set_custom_roles') {
@@ -2537,7 +2741,8 @@ sub handler {
         } else {
             &custom_role_editor($r);
         }
-    } elsif ($env{'form.action'} eq 'listusers' && $permission->{'view'}) {
+    } elsif (($env{'form.action'} eq 'listusers') && 
+             ($permission->{'view'} || $permission->{'cusr'})) {
         if ($env{'form.phase'} eq 'bulkchange') {
             &Apache::lonhtmlcommon::add_breadcrumb
                 ({href=>'backPage(document.studentform)',
@@ -2606,7 +2811,7 @@ sub handler {
     } else {
         $r->print(&header());
         $r->print(&Apache::lonhtmlcommon::breadcrumbs('User Management'));
-        $r->print(&print_main_menu($permission));
+        $r->print(&print_main_menu($permission,$context));
         $r->print(&Apache::loncommon::end_page());
     }
     return OK;
@@ -2646,35 +2851,68 @@ END
 ###############################################################
 #  Menu Phase One
 sub print_main_menu {
-    my ($permission) = @_;
+    my ($permission,$context) = @_;
+    my %links = (
+                       domain => {
+                                   upload => 'Upload a File of Users',
+                                   singleuser => 'Add/Manage a Single User',
+                                   listusers => 'Manage Multiple Users',
+                                 },
+                       author => {
+                                   upload => 'Upload a File of Co-authors',
+                                   singleuser => 'Add/Manage a Single Co-author',
+                                   listusers => 'Display Co-authors and Manage Multiple Users',
+                                 },
+                       course => {
+                                   upload => 'Upload a File of Course Users',
+                                   singleuser => 'Add/Manage a Single Course User',
+                                   listusers => 'Display Class Lists and Manage Multiple Users',
+                                 },
+                     );
     my @menu =
         (
-          { text => 'Upload a File of Users to Modify/Create Users and/or Add roles',
+          { text => $links{$context}{'upload'},
             help => 'User_Management_Upload',
             action => 'upload',
             permission => $permission->{'cusr'},
             },
-          { text => 'Create User/Set User Roles for a single user',
+          { text => $links{$context}{'singleuser'}, 
             help => 'User_Management_Single_User',
             action => 'singleuser',
             permission => $permission->{'cusr'},
             },
-          { text => 'Display Lists of Users',
+          { text => $links{$context}{'listusers'},
             help => 'User_Management_List',
             action => 'listusers',
-            permission => $permission->{'view'},
-            },
-#          { text => 'Expire User Roles',
-#            help => 'User_Management_Drops',
-#            action => 'expire',
-#            permission => $permission->{'cusr'},
-#            },
-          { text => 'Edit Custom Roles',
-            help => 'Custom_Role_Edit',
-            action => 'custom',
-            permission => $permission->{'custom'},
+            permission => ($permission->{'view'} || $permission->{'cusr'}),
           },
         );
+    if ($context eq 'domain' || $context eq 'course') {
+        my $customlink =  { text => 'Edit Custom Roles',
+                            help => 'Custom_Role_Edit',
+                            action => 'custom',
+                            permission => $permission->{'custom'},
+                          };
+        push(@menu,$customlink);
+    }
+    if ($context eq 'course') {
+        my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
+        my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'}; 
+        my @courselinks = 
+            (
+               { text => 'Automated Enrollment Manager',
+                 permission => (&Apache::lonnet::auto_run($cnum,$cdom)
+                                && $permission->{'cusr'}),
+                 url  => '/adm/populate',
+                 },
+               { text => 'Manage Course Groups',
+                 help => 'Course_Manage_Group',
+                 permission => $permission->{'grp_manage'},
+                 url => '/adm/coursegroups?refpage=cusr',
+               },
+            );
+        push(@menu,@courselinks);
+    }
     my $menu_html = '';
     foreach my $menu_item (@menu) {
         next if (! $menu_item->{'permission'});
@@ -2696,57 +2934,6 @@ sub print_main_menu {
     return $menu_html;
 }
 
-sub get_permission {
-    my ($context) = @_;
-    my %permission;
-    if ($context eq 'course') {
-        if ((&Apache::lonnet::allowed('cta',$env{'request.course.id'})) ||
-            (&Apache::lonnet::allowed('cin',$env{'request.course.id'})) ||
-            (&Apache::lonnet::allowed('ccr',$env{'request.course.id'})) ||
-            (&Apache::lonnet::allowed('cep',$env{'request.course.id'})) ||
-            (&Apache::lonnet::allowed('cst',$env{'request.course.id'}))) {
-            $permission{'cusr'} = 1;
-            $permission{'view'} =
-                 &Apache::lonnet::allowed('vcl',$env{'request.course.id'});
-
-        }
-        if (&Apache::lonnet::allowed('ccr',$env{'request.course.id'})) {
-            $permission{'custom'} = 1;
-        }
-        if (&Apache::lonnet::allowed('vcl',$env{'request.course.id'})) {
-            $permission{'view'} = 1;
-            if (!$permission{'view'}) {
-                my $scope = $env{'request.course.id'}.'/'.$env{'request.course.sec'};
-                $permission{'view'} =  &Apache::lonnet::allowed('vcl',$scope);
-                if ($permission{'view'}) {
-                    $permission{'view_section'} = $env{'request.course.sec'};
-                }
-            }
-        }
-    } elsif ($context eq 'construction_space') {
-        $permission{'cusr'} = &authorpriv($env{'user.name'},$env{'request.role.domain'});
-        $permission{'view'} = $permission{'cusr'};
-    } else {
-        if ((&Apache::lonnet::allowed('cad',$env{'request.role.domain'})) ||
-            (&Apache::lonnet::allowed('cli',$env{'request.role.domain'})) ||
-            (&Apache::lonnet::allowed('cau',$env{'request.role.domain'})) ||
-            (&Apache::lonnet::allowed('csc',$env{'request.role.domain'})) ||
-            (&Apache::lonnet::allowed('cdg',$env{'request.role.domain'})) || 
-            (&Apache::lonnet::allowed('mau',$env{'request.role.domain'}))) {
-            $permission{'cusr'} = 1;
-        }
-        if (&Apache::lonnet::allowed('ccr',$env{'request.role.domain'})) {
-            $permission{'custom'} = 1;
-        }
-        $permission{'view'} = $permission{'cusr'};
-    }
-    my $allowed = 0;
-    foreach my $perm (values(%permission)) {
-        if ($perm) { $allowed=1; last; }
-    }
-    return (\%permission,$allowed);
-}
-
 sub restore_prev_selections {
     my %saveable_parameters = ('srchby'   => 'scalar',
 			       'srchin'   => 'scalar',
@@ -3149,6 +3336,10 @@ sub crumb_utilities {
            srchtype => 'selectbox',
            srchdomain => 'selectbox',
        },
+       crtusername => {
+           srchterm => 'text',
+           srchdomain => 'selectbox',
+       },
        docustom => {
            rolename => 'selectbox',
            newrolename => 'textbox',

'.$authformcurrent. + '
	'.&mt('Currently in use').'	'. &mt('will override current values'). - ' '; + '