--- loncom/interface/loncreateuser.pm	2016/10/22 17:56:12	1.417
+++ loncom/interface/loncreateuser.pm	2016/11/09 16:35:46	1.418
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Create a user
 #
-# $Id: loncreateuser.pm,v 1.417 2016/10/22 17:56:12 raeburn Exp $
+# $Id: loncreateuser.pm,v 1.418 2016/11/09 16:35:46 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -160,7 +160,8 @@ END_SCRIPT
                  '<h3>'.$lt{'usrt'}.'</h3>'."\n".
                  &Apache::loncommon::start_data_table();
 
-    if (&Apache::lonnet::allowed('mut',$ccdomain)) {
+    if ((&Apache::lonnet::allowed('mut',$ccdomain)) ||
+        (&Apache::lonnet::allowed('udp',$ccdomain))) {
         $output .= &build_tools_display($ccuname,$ccdomain,'tools');
     }
 
@@ -267,7 +268,7 @@ sub build_tools_display {
         $colspan = ' colspan="2"';
         %domconfig =
             &Apache::lonnet::get_dom('configuration',['requestcourses'],$ccdomain);
-        $isadv = &Apache::lonnet::is_advanced_user($ccuname,$ccdomain);
+        $isadv = &Apache::lonnet::is_advanced_user($ccdomain,$ccuname);
     } elsif ($context eq 'requestauthor') {
         %userenv = &Apache::lonnet::userenvironment($ccdomain,$ccuname,
                                                     'requestauthor');
@@ -334,6 +335,7 @@ sub build_tools_display {
                    '   <td'.$colspan.'>'.$lt{$item}.'</td>'."\n".
                    '  </tr>'."\n".
                    &Apache::loncommon::start_data_table_row()."\n";
+  
         if (($context eq 'requestcourses') || ($context eq 'requestauthor')) {
             my ($curroption,$currlimit);
             my $envkey = $context.'.'.$item;
@@ -427,8 +429,10 @@ sub build_tools_display {
                           '</span>';
         }
         $output .= '  <td'.$colspan.'>'.$custom_access.('&nbsp;'x4).
-                   $lt{'avai'}.': '.$currdisp.'</td>'."\n".
-                   &Apache::loncommon::end_data_table_row()."\n".
+                   $lt{'avai'}.': '.$currdisp.'</td>'."\n";
+                   &Apache::loncommon::end_data_table_row()."\n";
+        unless (&Apache::lonnet::allowed('udp',$ccdomain)) {
+            $output .=
                    &Apache::loncommon::start_data_table_row()."\n".
                    '  <td style="vertical-align:top;"><span class="LC_nobreak">'.
                    $lt{'chse'}.': <label>'.
@@ -437,6 +441,7 @@ sub build_tools_display {
                    '<label><input type="radio" name="custom'.$item.'" value="1" '.
                    $cust_on.'/>'.$lt{'uscu'}.'</label>'.$custradio.'</td>'.
                    &Apache::loncommon::end_data_table_row()."\n";
+        }
     }
     return $output;
 }
@@ -536,7 +541,10 @@ sub domadhocroles {
     my $confname = &Apache::lonnet::get_domainconfiguser($env{'request.role.domain'});
     my %existing=&Apache::lonnet::dump('roles',$env{'request.role.domain'},
                                        $confname,'rolesdef_');
-    my $output;
+    my ($output,$canmodify);
+    if (&Apache::lonnet::allowed('cdh',$env{'request.role.domain'})) {
+        $canmodify = 1;
+    }
     if (keys(%existing) > 0) {
         my @current;
         my $curradhoc = 'adhocroles.'.$env{'request.role.domain'};
@@ -544,6 +552,9 @@ sub domadhocroles {
         if ($userenv{$curradhoc}) {
             @current = split(/,/,$userenv{$curradhoc});
         }
+        if (!$canmodify && !@current) {
+            return;
+        }
         my %customroles;
         foreach my $key (keys(%existing)) {
             if ($key=~/^rolesdef\_(\w+)$/) {
@@ -557,22 +568,28 @@ sub domadhocroles {
                   &mt('Ad Hoc Course Roles Selectable via Helpdesk Role').
                   '</h3>'."\n".
                   &Apache::loncommon::start_data_table().
-                  &Apache::loncommon::start_data_table_header_row().
-                  '<th>'.&mt('Action').'</th><th>'.&mt('Role').'</th>'.
-                  '<th>'.&mt('Privileges in Course').'<th>'.
-                  &Apache::loncommon::end_data_table_header_row();
+                  &Apache::loncommon::start_data_table_header_row();
+        if ($canmodify) {
+            $output .= '<th>'.&mt('Action').'</th>';
+        }
+        $output .= '<th>'.&mt('Role').'</th>'.
+                   '<th>'.&mt('Privileges in Course').'<th>'.
+                   &Apache::loncommon::end_data_table_header_row();
         foreach my $key (sort(keys(%customroles))) {
+            next if ((!$canmodify) && (!grep(/^\Q$key\E$/,@current)));
             $output .= &Apache::loncommon::start_data_table_row();
-            if (grep(/^\Q$key\E$/,@current)) {
-                $output .= '<td><label>'.
-                           '<input type="checkbox" name="adhocroledel" value="'.$key.'" />'.
-                           &mt('Delete').'</label>'.
-                           '</td>';
-            } else {
-                $output .= '<td><label>'.
-                           '<input type="checkbox" name="adhocroleadd" value="'.$key.'" />'.
-                           &mt('Add').'</label>'.
-                           '</td>';
+            if ($canmodify) {
+                if (grep(/^\Q$key\E$/,@current)) {
+                    $output .= '<td><label>'.
+                               '<input type="checkbox" name="adhocroledel" value="'.$key.'" />'.
+                               &mt('Delete').'</label>'.
+                               '</td>';
+                } else {
+                    $output .= '<td><label>'.
+                               '<input type="checkbox" name="adhocroleadd" value="'.$key.'" />'.
+                               &mt('Add').'</label>'.
+                               '</td>';
+                }
             }
             $output .= '<td>'.$key.'</td><td>';
             foreach my $level ('course','domain','system') {
@@ -1207,10 +1224,15 @@ sub print_user_modification_page {
             }
             $response .= '<p class="LC_warning">'
                         .&mt("You are not authorized to create new $usertypetext{$usertype} users in this domain.")
-                        .' '
-                        .&mt('Please contact the [_1]helpdesk[_2] for assistance.'
-                            ,'<a href="'.$helplink.'">','</a>')
-                        .'</p><br />';
+                        .' ';
+            if ($context eq 'domain') {
+                $response .= &mt('Please contact a [_1] for assistance.',
+                                 &Apache::lonnet::plaintext('dc'));
+            } else {
+                $response .= &mt('Please contact the [_1]helpdesk[_2] for assistance.'
+                                ,'<a href="'.$helplink.'">','</a>');
+            }
+            $response .= '</p><br />';
             $env{'form.phase'} = '';
             &print_username_entry_form($r,$context,$response,undef,undef,$crstype,$brcrum);
             return;
@@ -1467,14 +1489,20 @@ ENDAUTH
                                  '"'.$ccuname.'"','"'.$ccdomain.'"');
             }
         } else {
-            $title = &mt('Modify existing user: [_1] in domain [_2]',
+            if ($permission->{'cusr'}) {
+                $title = &mt('Modify existing user: [_1] in domain [_2]',
                              '"'.$ccuname.'"','"'.$ccdomain.'"');
+            } else {
+                $title = &mt('Existing user: [_1] in domain [_2]',
+                             '"'.$ccuname.'"','"'.$ccdomain.'"');
+            }
         }
         $r->print('<h2>'.$title.'</h2>'."\n");
         $r->print('<div class="LC_left_float">');
         $r->print(&personal_data_display($ccuname,$ccdomain,$newuser,$context,
                                          $inst_results{$ccuname.':'.$ccdomain}));
-        if (&Apache::lonnet::allowed('ccc',$env{'request.role.domain'})) {
+        if ((&Apache::lonnet::allowed('ccc',$env{'request.role.domain'})) || 
+            (&Apache::lonnet::allowed('udp',$env{'request.role.domain'}))) {
             $r->print('<br /><h3>'.&mt('User Can Request Creation of Courses/Communities in this Domain?').'</h3>'.
                       &Apache::loncommon::start_data_table());
             if ($env{'request.role.domain'} eq $ccdomain) {
@@ -1489,18 +1517,21 @@ ENDAUTH
         my @order = ('auth','quota','tools','requestauthor','adhocroles');
         my %user_text;
         my ($isadv,$isauthor) = 
-            &Apache::lonnet::is_advanced_user($ccuname,$ccdomain);
+            &Apache::lonnet::is_advanced_user($ccdomain,$ccuname);
         if ((!$isauthor) && 
-            (&Apache::lonnet::allowed('cau',$env{'request.role.domain'}))
-            && ($env{'request.role.domain'} eq $ccdomain)) {
+            ((&Apache::lonnet::allowed('cau',$env{'request.role.domain'})) ||
+             (&Apache::lonnet::allowed('udp',$env{'request.role.domain'}))) &&
+            ($env{'request.role.domain'} eq $ccdomain)) {
             $user_text{'requestauthor'} = &domainrole_req($ccuname,$ccdomain);
         }
-        if (&Apache::lonnet::allowed('cdh',$env{'request.role.domain'})) {
+        if ((&Apache::lonnet::allowed('cdh',$env{'request.role.domain'})) || 
+            (&Apache::lonnet::allowed('udp',$env{'request.role.domain'}))) {
             $user_text{'adhocroles'} = &domadhocroles($ccuname,$ccdomain);
         }
         $user_text{'auth'} =  &user_authentication($ccuname,$ccdomain,$formname);
         if ((&Apache::lonnet::allowed('mpq',$ccdomain)) ||
-            (&Apache::lonnet::allowed('mut',$ccdomain))) {
+            (&Apache::lonnet::allowed('mut',$ccdomain)) ||
+            (&Apache::lonnet::allowed('udp',$ccdomain))) {
             # Current user has quota modification privileges
             $user_text{'quota'} = &user_quotas($ccuname,$ccdomain);
         }
@@ -1558,9 +1589,18 @@ ENDNOTOOLSPRIV
         if ($gotdiv) {
             $r->print('</div><div class="LC_clear_float_footer"></div>');
         }
+        my $statuses;
+        if (($context eq 'domain') && (&Apache::lonnet::allowed('udp',$ccdomain)) &&
+            (!&Apache::lonnet::allowed('mau',$ccdomain))) {
+            $statuses = ['active'];
+        } elsif (($context eq 'course') && ((&Apache::lonnet::allowed('vcl',$env{'request.course.id'})) ||
+                 ($env{'request.course.sec'} &&
+                  &Apache::lonnet::allowed('vcl',$env{'request.course.id'}.'/'.$env{'request.course.sec'})))) {
+            $statuses = ['active'];   
+        }
         if ($env{'form.action'} ne 'singlestudent') {
             &display_existing_roles($r,$ccuname,$ccdomain,\%inccourses,$context,
-                                    $roledom,$crstype);
+                                    $roledom,$crstype,$showcredits,$statuses);
         }
     } ## End of new user/old user logic
     if ($env{'form.action'} eq 'singlestudent') {
@@ -1571,7 +1611,7 @@ ENDNOTOOLSPRIV
             $btntxt = &mt('Enroll Student');
         }
         $r->print('<br /><input type="button" value="'.$btntxt.'" onclick="setSections(this.form)" />'."\n");
-    } else {
+    } elsif ($permission->{'cusr'}) {
         $r->print('<div class="LC_left_float">'.
                   '<fieldset><legend>'.&mt('Add Roles').'</legend>');
         my $addrolesdisplay = 0;
@@ -1701,8 +1741,22 @@ sub validation_javascript {
 
 sub display_existing_roles {
     my ($r,$ccuname,$ccdomain,$inccourses,$context,$roledom,$crstype,
-        $showcredits) = @_;
+        $showcredits,$statuses) = @_;
     my $now=time;
+    my $showall = 1;
+    my ($showexpired,$showactive);
+    if ((ref($statuses) eq 'ARRAY') && (@{$statuses} > 0)) {
+        $showall = 0;
+        if (grep(/^expired$/,@{$statuses})) {
+            $showexpired = 1;
+        }
+        if (grep(/^active$/,@{$statuses})) {
+            $showactive = 1;
+        }
+        if ($showexpired && $showactive) {
+            $showall = 1;
+        }
+    }
     my %lt=&Apache::lonlocal::texthash(
                     'rer'  => "Existing Roles",
                     'rev'  => "Revoke",
@@ -1766,6 +1820,13 @@ sub display_existing_roles {
         $area =~ s/\_\w\w$//;
         my ($role_code,$role_end_time,$role_start_time) =
             split(/_/,$role);
+        my $active=1;
+        $active=0 if (($role_end_time) && ($now>$role_end_time));
+        if ($active) {
+            next unless($showall || $showactive);
+        } else {
+            next unless($showall || $showexpired); 
+        }
 # Is this a custom role? Get role owner and title.
         my ($croleudom,$croleuname,$croletitle)=
             ($role_code=~m{^cr/($match_domain)/($match_username)/(\w+)$});
@@ -1774,6 +1835,7 @@ sub display_existing_roles {
         my $sortkey=$role_code;
         my $class='Unknown';
         my $credits='';
+        my $csec;
         if ($area =~ m{^/($match_domain)/($match_courseid)} ) {
             $class='Course';
             my ($coursedom,$coursedir) = ($1,$2);
@@ -1836,12 +1898,14 @@ sub display_existing_roles {
                     $thisrole.='.'.$role_code;
                 }
             }
-            if ($area=~m{^/($match_domain)/($match_courseid)/(\w+)}) {
-                $carea.='<br />'.&mt('Section: [_1]',$3);
-                $sortkey.="\0$3";
+            if ($area=~m{^/($match_domain/$match_courseid/(\w+))}) {
+                
+                $csec = $2;
+                $carea.='<br />'.&mt('Section: [_1]',$csec);
+                $sortkey.="\0$csec";
                 if (!$allowed) {
-                    if ($env{'request.course.sec'} eq $3) {
-                        if (&Apache::lonnet::allowed('c'.$role_code,$1.'/'.$2.'/'.$3)) {
+                    if ($env{'request.course.sec'} eq $csec) {
+                        if (&Apache::lonnet::allowed('c'.$role_code,$1)) {
                             $allowed = 1;
                         }
                     }
@@ -1883,29 +1947,30 @@ sub display_existing_roles {
             }
         }
         my $row = '';
-        $row.= '<td>';
-        my $active=1;
-        $active=0 if (($role_end_time) && ($now>$role_end_time));
-        if (($active) && ($allowed)) {
-            $row.= '<input type="checkbox" name="rev:'.$thisrole.'" />';
-        } else {
-            if ($active) {
-               $row.='&nbsp;';
+        if ($showall) {
+            $row.= '<td>';
+            if (($active) && ($allowed)) {
+                $row.= '<input type="checkbox" name="rev:'.$thisrole.'" />';
             } else {
-               $row.=&mt('expired or revoked');
+                if ($active) {
+                    $row.='&nbsp;';
+                } else {
+                    $row.=&mt('expired or revoked');
+                }
             }
-        }
-        $row.='</td><td>';
-        if ($allowed && !$active) {
-            $row.= '<input type="checkbox" name="ren:'.$thisrole.'" />';
-        } else {
-            $row.='&nbsp;';
-        }
-        $row.='</td><td>';
-        if ($delallowed) {
-            $row.= '<input type="checkbox" name="del:'.$thisrole.'" />';
-        } else {
-            $row.='&nbsp;';
+            $row.='</td><td>';
+            if ($allowed && !$active) {
+                $row.= '<input type="checkbox" name="ren:'.$thisrole.'" />';
+            } else {
+                $row.='&nbsp;';
+            }
+            $row.='</td><td>';
+            if ($delallowed) {
+                $row.= '<input type="checkbox" name="del:'.$thisrole.'" />';
+            } else {
+                $row.='&nbsp;';
+            }
+            $row.= '</td>'; 
         }
         my $plaintext='';
         if (!$croletitle) {
@@ -1923,17 +1988,30 @@ sub display_existing_roles {
                         '<br />',
                         $croleuname.':'.$croleudom);
         }
-        $row.= '</td><td>'.$plaintext.
-               '</td><td>'.$area.
-               '</td><td>'.($role_start_time?&Apache::lonlocal::locallocaltime($role_start_time)
-                                            : '&nbsp;' ).
-               '</td><td>'.($role_end_time  ?&Apache::lonlocal::locallocaltime($role_end_time)
-                                            : '&nbsp;' )
-               ."</td>";
+        $row.= '<td>'.$plaintext.'</td>'.
+               '<td>'.$area.'</td>'.
+               '<td>'.($role_start_time?&Apache::lonlocal::locallocaltime($role_start_time)
+                                            : '&nbsp;' ).'</td>'.
+               '<td>'.($role_end_time  ?&Apache::lonlocal::locallocaltime($role_end_time)
+                                            : '&nbsp;' ).'</td>';
         $sortrole{$sortkey}=$envkey;
         $roletext{$envkey}=$row;
         $roleclass{$envkey}=$class;
-        $rolepriv{$envkey}=$allowed;
+        if ($allowed) {
+            $rolepriv{$envkey}='edit';
+        } else {
+            if ($context eq 'domain') {
+                if (&Apache::lonnet::allowed('vur',$ccdomain)) {
+                    $rolepriv{$envkey}='view';
+                }
+            } elsif ($context eq 'course') {
+                if ((&Apache::lonnet::allowed('vcl',$env{'request.course.id'})) ||
+                    ($env{'request.course.sec'} && ($env{'request.course.sec'} eq $csec) &&
+                     &Apache::lonnet::allowed('vcl',$env{'request.course.id'}.'/'.$env{'request.course.sec'}))) {
+                    $rolepriv{$envkey}='view';
+                }
+            }
+        }
     } # end of foreach        (table building loop)
 
     my $rolesdisplay = 0;
@@ -1966,13 +2044,26 @@ sub display_existing_roles {
         } elsif ($env{'request.role'} =~ /^au\./) {
             $contextrole = &mt('Existing Co-Author Roles in your Authoring Space');
         } else {
-            $contextrole = &mt('Existing Roles in this Domain');
+            if ($showall) {
+                $contextrole = &mt('Existing Roles in this Domain');
+            } elsif ($showactive) {
+                $contextrole = &mt('Unexpired Roles in this Domain');
+            } elsif ($showexpired) {
+                $contextrole = &mt('Expired or Revoked Roles in this Domain');
+            }
         }
         $r->print('<div class="LC_left_float">'.
 '<fieldset><legend>'.$contextrole.'</legend>'.
 &Apache::loncommon::start_data_table("LC_createuser").
-&Apache::loncommon::start_data_table_header_row().
-'<th>'.$lt{'rev'}.'</th><th>'.$lt{'ren'}.'</th><th>'.$lt{'del'}.
+&Apache::loncommon::start_data_table_header_row());
+        if ($showall) {
+            $r->print(
+'<th>'.$lt{'rev'}.'</th><th>'.$lt{'ren'}.'</th><th>'.$lt{'del'}
+            );
+        } elsif ($showexpired) {
+            $r->print('<th>'.$lt{'rev'}.'</th>');
+        }
+        $r->print(
 '</th><th>'.$lt{'rol'}.'</th><th>'.$lt{'ext'}.
 '</th><th>'.$lt{'sta'}.'</th><th>'.$lt{'end'}.'</th>'.
 &Apache::loncommon::end_data_table_header_row());
@@ -2112,16 +2203,16 @@ sub user_authentication {
     my ($ccuname,$ccdomain,$formname) = @_;
     my $currentauth=&Apache::lonnet::queryauthenticate($ccuname,$ccdomain);
     my $outcome;
+    my %lt=&Apache::lonlocal::texthash(
+                   'err'   => "ERROR",
+                   'uuas'  => "This user has an unrecognized authentication scheme",
+                   'adcs'  => "Please alert a domain coordinator of this situation",
+                   'sldb'  => "Please specify login data below",
+                   'ld'    => "Login Data"
+    );
     # Check for a bad authentication type
     if ($currentauth !~ /^(krb4|krb5|unix|internal|localauth):/) {
         # bad authentication scheme
-        my %lt=&Apache::lonlocal::texthash(
-                       'err'   => "ERROR",
-                       'uuas'  => "This user has an unrecognized authentication scheme",
-                       'adcs'  => "Please alert a domain coordinator of this situation",
-                       'sldb'  => "Please specify login data below",
-                       'ld'    => "Login Data"
-        );
         if (&Apache::lonnet::allowed('mau',$ccdomain)) {
             &initialize_authen_forms($ccdomain,$formname);
 
@@ -2147,16 +2238,12 @@ $lt{'uuas'} ($currentauth). $lt{'adcs'}.
 ENDBADAUTH
         }
     } else { # Authentication type is valid
+        
         &initialize_authen_forms($ccdomain,$formname,$currentauth,'modifyuser');
         my ($authformcurrent,$can_modify,@authform_others) =
             &modify_login_block($ccdomain,$currentauth);
         if (&Apache::lonnet::allowed('mau',$ccdomain)) {
             # Current user has login modification privileges
-            my %lt=&Apache::lonlocal::texthash (
-                           'ld'    => "Login Data",
-                           'ccld'  => "Change Current Login Data",
-                           'enld'  => "Enter New Login Data"
-                                               );
             $outcome =
                        '<script type="text/javascript" language="Javascript">'."\n".
                        '// <![CDATA['."\n".
@@ -2167,7 +2254,7 @@ ENDBADAUTH
                        &Apache::loncommon::start_data_table().
                        &Apache::loncommon::start_data_table_row().
                        '<td>'.$authformnop;
-            if ($can_modify) {
+            if (($can_modify) && (&Apache::lonnet::allowed('mau',$ccdomain))) {
                 $outcome .= '</td>'."\n".
                             &Apache::loncommon::end_data_table_row().
                             &Apache::loncommon::start_data_table_row().
@@ -2177,14 +2264,40 @@ ENDBADAUTH
                 $outcome .= '&nbsp;('.$authformcurrent.')</td>'.
                             &Apache::loncommon::end_data_table_row()."\n";
             }
-            foreach my $item (@authform_others) { 
-                $outcome .= &Apache::loncommon::start_data_table_row().
-                            '<td>'.$item.'</td>'.
-                            &Apache::loncommon::end_data_table_row()."\n";
+            if (&Apache::lonnet::allowed('mau',$ccdomain)) {
+                foreach my $item (@authform_others) { 
+                    $outcome .= &Apache::loncommon::start_data_table_row().
+                                '<td>'.$item.'</td>'.
+                                &Apache::loncommon::end_data_table_row()."\n";
+                }
             }
             $outcome .= &Apache::loncommon::end_data_table();
         } else {
-            if (&Apache::lonnet::allowed('mau',$env{'request.role.domain'})) {
+            if (&Apache::lonnet::allowed('udp',$ccdomain)) {
+                # Current user has rights to view domain preferences for user's domain
+                my $result;
+                if ($currentauth =~ /^krb(4|5):([^:]*)$/) {
+                    my ($krbver,$krbrealm) = ($1,$2);
+                    if ($krbrealm eq '') {
+                        $result = &mt('Currently Kerberos authenticated, Version [_1].',$krbver);
+                    } else {
+                        $result = &mt('Currently Kerberos authenticated with domain [_1] Version [_2].',
+                                      $krbver,$krbrealm);
+                    }
+                } elsif ($currentauth =~ /^internal:/) {
+                    $result = &mt('Currently internally authenticated.');
+                } elsif ($currentauth =~ /^localauth:/) {
+                    $result = &mt('Currently using local (institutional) authentication.');
+                } elsif ($currentauth =~ /^unix:/) {
+                    $result = &mt('Currently Filesystem Authenticated.');
+                }
+                $outcome = '<h3>'.$lt{'ld'}.'</h3>'.
+                           &Apache::loncommon::start_data_table().
+                           &Apache::loncommon::start_data_table_row().
+                           '<td>'.$result.'</td>'.
+                           &Apache::loncommon::end_data_table_row()."\n".
+                           &Apache::loncommon::end_data_table();
+            } elsif (&Apache::lonnet::allowed('mau',$env{'request.role.domain'})) {
                 my %lt=&Apache::lonlocal::texthash(
                            'ccld'  => "Change Current Login Data",
                            'yodo'  => "You do not have privileges to modify the authentication configuration for this user.",
@@ -4628,6 +4741,7 @@ sub handler {
         }
     } elsif (((($env{'form.action'} eq 'singleuser') || ($env{'form.action'}
               eq 'singlestudent')) && ($permission->{'cusr'})) ||
+             (($env{'form.action'} eq 'singleuser') && ($permission->{'view'})) ||
              (($env{'form.action'} eq 'accesslogs') && ($permission->{'activity'}))) {
         my $phase = $env{'form.phase'};
         my @search = ('srchterm','srchby','srchin','srchtype','srchdomain');
@@ -5035,36 +5149,46 @@ sub handler {
                      '<span class="LC_error">'.&mt('You do not have permission to configure self-enrollment').'</span>');
         }
     } elsif ($env{'form.action'} eq 'selfenrollqueue') {
-        push(@{$brcrum},
-                 {href => '/adm/createuser?action=selfenrollqueue',
-                  text => 'Enrollment requests',
-                  help => 'Course_Self_Enrollment'});
-        $bread_crumbs_component = 'Enrollment requests';
-        if ($env{'form.state'} eq 'done') {
+        if ($permission->{selfenrolladmin}) {
             push(@{$brcrum},
                      {href => '/adm/createuser?action=selfenrollqueue',
-                      text => 'Result',
+                      text => 'Enrollment requests',
                       help => 'Course_Self_Enrollment'});
-            $bread_crumbs_component = 'Enrollment result';
-        }
-        $args = { bread_crumbs           => $brcrum,
-                  bread_crumbs_component => $bread_crumbs_component};
-        $r->print(&header(undef,$args));
-        my $cid = $env{'request.course.id'};
-        my $cdom = $env{'course.'.$cid.'.domain'};
-        my $cnum = $env{'course.'.$cid.'.num'};
-        my $coursedesc = $env{'course.'.$cid.'.description'};
-        if (!exists($env{'form.state'})) {
-            $r->print('<h3>'.&mt('Pending enrollment requests').'</h3>'."\n");
-            $r->print(&Apache::loncoursequeueadmin::display_queued_requests($context,
-                                                                       $cdom,$cnum));
-        } elsif ($env{'form.state'} eq 'done') {
-            $r->print('<h3>'.&mt('Enrollment request processing').'</h3>'."\n");
-            $r->print(&Apache::loncoursequeueadmin::update_request_queue($context,
-                          $cdom,$cnum,$coursedesc));
+            $bread_crumbs_component = 'Enrollment requests';
+            if ($env{'form.state'} eq 'done') {
+                push(@{$brcrum},
+                         {href => '/adm/createuser?action=selfenrollqueue',
+                          text => 'Result',
+                          help => 'Course_Self_Enrollment'});
+                $bread_crumbs_component = 'Enrollment result';
+            }
+            $args = { bread_crumbs           => $brcrum,
+                      bread_crumbs_component => $bread_crumbs_component};
+            $r->print(&header(undef,$args));
+            my $cid = $env{'request.course.id'};
+            my $cdom = $env{'course.'.$cid.'.domain'};
+            my $cnum = $env{'course.'.$cid.'.num'};
+            my $coursedesc = $env{'course.'.$cid.'.description'};
+            if (!exists($env{'form.state'})) {
+                $r->print('<h3>'.&mt('Pending enrollment requests').'</h3>'."\n");
+                $r->print(&Apache::loncoursequeueadmin::display_queued_requests($context,
+                                                                                $cdom,$cnum));
+            } elsif ($env{'form.state'} eq 'done') {
+                $r->print('<h3>'.&mt('Enrollment request processing').'</h3>'."\n");
+                $r->print(&Apache::loncoursequeueadmin::update_request_queue($context,
+                               $cdom,$cnum,$coursedesc));
+            }
+        } else {
+            $r->print(&header(undef,{'no_nav_bar' => 1}).
+                     '<span class="LC_error">'.&mt('You do not have permission to manage self-enrollment').'</span>');
         }
     } elsif ($env{'form.action'} eq 'changelogs') {
-        &print_userchangelogs_display($r,$context,$permission,$brcrum);
+        if ($permission->{cusr} || $permission->{view}) {
+            &print_userchangelogs_display($r,$context,$permission,$brcrum);
+        } else {
+            $r->print(&header(undef,{'no_nav_bar' => 1}).
+                     '<span class="LC_error">'.&mt('You do not have permission to view change logs').'</span>');
+        }
     } else {
         $bread_crumbs_component = 'User Management';
         $args = { bread_crumbs           => $brcrum,
@@ -5316,6 +5440,27 @@ sub print_main_menu {
                             listusers  => 'Show and manage users in this community.',
                            },
                 );
+  if ($linkcontext eq 'domain') {
+      unless ($permission->{'cusr'}) {
+          $links{'domain'}{'singleuser'} = 'View a User'; 
+          $linktitles{'domain'}{'singleuser'} = 'View information about a user in the domain';
+          
+      }
+  } elsif ($linkcontext eq 'course') {
+      unless ($permission->{'cusr'}) {
+          $links{'course'}{'singleuser'} = 'View a Course User';
+          $linktitles{'course'}{'singleuser'} = 'View information about a user in this course';
+          $links{'course'}{'listusers'} = 'List Course Users';
+          $linktitles{'course'}{'listusers'} = 'Show information about users in this course';
+      }
+  } elsif ($linkcontext eq 'community') {
+      unless ($permission->{'cusr'}) {
+          $links{'community'}{'singleuser'} = 'View a Community User';
+          $linktitles{'community'}{'singleuser'} = 'View information about a user in this community';
+          $links{'community'}{'listusers'} = 'List Community Users';
+          $linktitles{'community'}{'listusers'} = 'Show information about users in this community';
+      }
+  }
   my @menu = ( {categorytitle => 'Single Users', 
          items =>
          [
@@ -5324,7 +5469,7 @@ sub print_main_menu {
              icon => 'edit-redo.png',
              #help => 'Course_Change_Privileges',
              url => '/adm/createuser?action=singleuser',
-             permission => $permission->{'cusr'},
+             permission => ($permission->{'view'} || $permission->{'cusr'}),
              linktitle => $linktitles{$linkcontext}{'singleuser'},
             },
          ]},
@@ -5397,7 +5542,7 @@ sub print_main_menu {
              icon => 'document-properties.png',
              #help => 'Course_User_Logs',
              url => '/adm/createuser?action=changelogs',
-             permission => $permission->{'cusr'},
+             permission => ($permission->{'cusr'} || $permission->{'view'}),
              linktitle => 'View change log.',
             },
         );
@@ -5477,7 +5622,7 @@ sub print_main_menu {
              icon => 'document-properties.png',
              #help => 'Course_User_Logs',
              url => '/adm/createuser?action=changelogs',
-             permission => $permission->{'cusr'},
+             permission => ($permission->{'view'} || $permission->{'cusr'}),
              linktitle => 'View change log.',
             },
         );
@@ -5502,7 +5647,8 @@ sub print_main_menu {
                      icon => 'roles.png',
                      #help => 'Course_Automated_Enrollment',
                      permission => (&Apache::lonnet::auto_run($cnum,$cdom)
-                                         && $permission->{'cusr'}),
+                                         && (($permission->{'cusr'}) ||
+                                             ($permission->{'view'}))),
                      url  => '/adm/populate',
                      linktitle => 'Automated enrollment manager.',
                     }
@@ -5551,7 +5697,7 @@ sub restore_prev_selections {
 }
 
 sub print_selfenroll_menu {
-    my ($r,$context,$cid,$cdom,$cnum,$currsettings,$additional) = @_;
+    my ($r,$context,$cid,$cdom,$cnum,$currsettings,$additional,$readonly) = @_;
     my $crstype = &Apache::loncommon::course_type();
     my $formname = 'selfenroll';
     my $nolink = 1;
@@ -5564,6 +5710,10 @@ sub print_selfenroll_menu {
         butn => 'but no user types have been checked.',
         wilf => "Please uncheck 'activate' or check at least one type.",
     );
+    my $disabled;
+    if ($readonly) {
+       $disabled = ' disabled="disabled"';
+    }
     &js_escape(\%alerts);
     my $selfenroll_js = <<"ENDSCRIPT";
 function update_types(caller,num) {
@@ -5879,13 +6029,13 @@ ENDSCRIPT
                     $output .= ' checked="checked" '; 
                 }
                 $output .= 'onchange="javascript:update_types('.
-                           "'selfenroll_all'".');" />'.&mt('Yes').'</label>'.
+                           "'selfenroll_all'".');"'.$disabled.' />'.&mt('Yes').'</label>'.
                            '&nbsp;&nbsp;<input type="radio" name="selfenroll_all" value="0" ';
                 if ($curr_types ne '*') {
                     $output .= ' checked="checked" ';
                 }
                 $output .= ' onchange="javascript:update_types('.
-                           "'selfenroll_all'".');"/>'.&mt('No').'</label></td>'.
+                           "'selfenroll_all'".');"'.$disabled.' />'.&mt('No').'</label></td>'.
                            &Apache::loncommon::end_data_table_row().
                            &Apache::loncommon::end_data_table().
                            &mt('Or').'<br />'.
@@ -5907,10 +6057,10 @@ ENDSCRIPT
                                        .'</b><input type="hidden" name="selfenroll_dom_'.$num
                                        .'" value="'.$currdom.'" /></span><br />'
                                        .'<span class="LC_nobreak"><label><input type="checkbox" '
-                                       .'name="selfenroll_delete" value="'.$num.'" onchange="javascript:update_types('."'selfenroll_delete','$num'".');" />'
+                                       .'name="selfenroll_delete" value="'.$num.'" onchange="javascript:update_types('."'selfenroll_delete','$num'".');"'.$disabled.' />'
                                        .&mt('Delete').'</label></span></td>';
                             $output .= '<td valign="top">&nbsp;&nbsp;'.&mt('User types:').'<br />'
-                                       .&selfenroll_inst_types($num,$currdom,\@currinsttypes).'</td>'
+                                       .&selfenroll_inst_types($num,$currdom,\@currinsttypes,$readonly).'</td>'
                                        .&Apache::loncommon::end_data_table_row();
                             $num ++;
                         }
@@ -5925,7 +6075,7 @@ ENDSCRIPT
                 $output .= &Apache::loncommon::start_data_table_row()
                            .'<td colspan="2"><span class="LC_nobreak">'.$add_domtitle.'</span><br />'
                            .&Apache::loncommon::select_dom_form('','selfenroll_newdom',
-                                                                $includeempty,$showdomdesc)
+                                                                $includeempty,$showdomdesc,'','','',$readonly)
                            .'<input type="hidden" name="selfenroll_types_total" value="'.$num.'" />'
                            .'</td>'.&Apache::loncommon::end_data_table_row()
                            .&Apache::loncommon::end_data_table();
@@ -5952,9 +6102,9 @@ ENDSCRIPT
                     $regoff = ' checked="checked" ';
                 }
                 $output .= '<label>'.
-                           '<input type="radio" name="selfenroll_registered" value="1"'.$regon.'/>'.
+                           '<input type="radio" name="selfenroll_registered" value="1"'.$regon.$disabled.'/>'.
                            &mt('Yes').'</label>&nbsp;&nbsp;<label>'.
-                           '<input type="radio" name="selfenroll_registered" value="0"'.$regoff.'/>'.
+                           '<input type="radio" name="selfenroll_registered" value="0"'.$regoff.$disabled.'/>'.
                            &mt('No').'</label>';
             } elsif ($item eq 'enroll_dates') {
                 my ($starttime,$endtime);
@@ -5976,10 +6126,10 @@ ENDSCRIPT
                 }
                 my $startform =
                     &Apache::lonhtmlcommon::date_setter($formname,'selfenroll_start_date',$starttime,
-                                      undef,undef,undef,undef,undef,undef,undef,$nolink);
+                                      $disabled,undef,undef,undef,undef,undef,undef,$nolink);
                 my $endform =
                     &Apache::lonhtmlcommon::date_setter($formname,'selfenroll_end_date',$endtime,
-                                      undef,undef,undef,undef,undef,undef,undef,$nolink);
+                                      $disabled,undef,undef,undef,undef,undef,undef,$nolink);
                 $output .= &selfenroll_date_forms($startform,$endform);
             } elsif ($item eq 'access_dates') {
                 my ($starttime,$endtime);
@@ -6001,10 +6151,10 @@ ENDSCRIPT
                 }
                 my $startform =
                     &Apache::lonhtmlcommon::date_setter($formname,'selfenroll_start_access',$starttime,
-                                      undef,undef,undef,undef,undef,undef,undef,$nolink);
+                                      $disabled,undef,undef,undef,undef,undef,undef,$nolink);
                 my $endform =
                     &Apache::lonhtmlcommon::date_setter($formname,'selfenroll_end_access',$endtime,
-                                      undef,undef,undef,undef,undef,undef,undef,$nolink);
+                                      $disabled,undef,undef,undef,undef,undef,undef,$nolink);
                 $output .= &selfenroll_date_forms($startform,$endform);
             } elsif ($item eq 'section') {
                 my $currsec;
@@ -6028,13 +6178,13 @@ ENDSCRIPT
                     next;
                 }
                 my $sections_select = 
-                    &Apache::lonuserutils::course_sections(\%sections_count,'st',$currsec);
+                    &Apache::lonuserutils::course_sections(\%sections_count,'st',$currsec,$disabled);
                 $output .= '<table class="LC_createuser">'."\n".
                            '<tr class="LC_section_row">'."\n".
                            '<td align="center">'.&mt('Existing sections')."\n".
                            '<br />'.$sections_select.'</td><td align="center">'.
                            &mt('New section').'<br />'."\n".
-                           '<input type="text" name="newsec" size="15" value="'.$newsecval.'" />'."\n".
+                           '<input type="text" name="newsec" size="15" value="'.$newsecval.'"'.$disabled.' />'."\n".
                            '<input type="hidden" name="sections" value="" />'."\n".
                            '</td></tr></table>'."\n";
             } elsif ($item eq 'approval') {
@@ -6056,8 +6206,8 @@ ENDSCRIPT
                 for my $i (0..2) {
                     $output .= '<label>'.
                                '<input type="radio" name="selfenroll_approval" value="'.$i.'"'.
-                               $appchecked{$i}.' onclick="toggleNotify();" />'.$selfdescs{'approval'}{$i}.
-                               '</label>'.('&nbsp;'x2);
+                               $appchecked{$i}.' onclick="toggleNotify();"'.$disabled.' />'.
+                               $selfdescs{'approval'}{$i}.'</label>'.('&nbsp;'x2);
                 }
                 my %advhash = &Apache::lonnet::get_course_adv_roles($cid,1);
                 my (@ccs,%notified);
@@ -6098,7 +6248,7 @@ ENDSCRIPT
                                        &Apache::loncommon::start_data_table_row()
                         }
                         $output .= '<td><span class="LC_nobreak"><label>'.
-                                   '<input type="checkbox" name="selfenroll_notify"'.$notifyon.' value="'.$cc.'" />'.
+                                   '<input type="checkbox" name="selfenroll_notify"'.$notifyon.' value="'.$cc.'"'.$disabled.' />'.
                                    &Apache::loncommon::plainname($ccuname,$ccudom).
                                    '</label></span></td>';
                         $count ++;
@@ -6148,26 +6298,28 @@ ENDSCRIPT
                     $nolimit = ' checked="checked" ';
                 }
                 $output .= '<table><tr><td><label>'.
-                           '<input type="radio" name="selfenroll_limit" value="none"'.$nolimit.'/>'.
+                           '<input type="radio" name="selfenroll_limit" value="none"'.$nolimit.$disabled.'/>'.
                            &mt('No limit').'</label></td><td><label>'.
-                           '<input type="radio" name="selfenroll_limit" value="allstudents"'.$crslimit.'/>'.
+                           '<input type="radio" name="selfenroll_limit" value="allstudents"'.$crslimit.$disabled.'/>'.
                            &mt('Limit by total students').'</label></td><td><label>'.
-                           '<input type="radio" name="selfenroll_limit" value="selfenrolled"'.$selflimit.'/>'.
+                           '<input type="radio" name="selfenroll_limit" value="selfenrolled"'.$selflimit.$disabled.'/>'.
                            &mt('Limit by total self-enrolled students').
                            '</td></tr><tr>'.
                            '<td>&nbsp;</td><td colspan="2"><span class="LC_nobreak">'.
                            ('&nbsp;'x3).&mt('Maximum number allowed: ').
-                           '<input type="text" name="selfenroll_cap" size = "5" value="'.$currcap.'" /></td></tr></table>';
+                           '<input type="text" name="selfenroll_cap" size = "5" value="'.$currcap.'"'.$disabled.' /></td></tr></table>';
             }
             $output .= &Apache::lonhtmlcommon::row_closure(1);
         }
     }
-    $output .= &Apache::lonhtmlcommon::end_pick_box().
-               '<br /><input type="button" name="selfenrollconf" value="'
-               .&mt('Save').'" onclick="validate_types(this.form);" />'
-               .'<input type="hidden" name="action" value="selfenroll" />'
-               .'<input type="hidden" name="state" value="done" />'."\n".
-               $additional.'</form>';
+    $output .= &Apache::lonhtmlcommon::end_pick_box().'<br />';
+    unless ($readonly) {
+        $output .= '<input type="button" name="selfenrollconf" value="'
+                   .&mt('Save').'" onclick="validate_types(this.form);" />';
+    }
+    $output .= '<input type="hidden" name="action" value="selfenroll" />'
+              .'<input type="hidden" name="state" value="done" />'."\n"
+              .$additional.'</form>';
     $r->print($output);
     return;
 }
@@ -6350,12 +6502,16 @@ sub new_selfenroll_dom_row {
 }
 
 sub selfenroll_inst_types {
-    my ($num,$currdom,$currinsttypes) = @_;
+    my ($num,$currdom,$currinsttypes,$readonly) = @_;
     my $output;
     my $numinrow = 4;
     my $count = 0;
     my ($othertitle,$usertypes,$types) = &Apache::loncommon::sorted_inst_types($currdom);
     my $othervalue = 'any';
+    my $disabled;
+    if ($readonly) {
+        $disabled = ' disabled="disabled"';
+    }
     if ((ref($types) eq 'ARRAY') && (ref($usertypes) eq 'HASH')) {
         if (keys(%{$usertypes}) > 0) {
             $othervalue = 'other';
@@ -6380,7 +6536,7 @@ sub selfenroll_inst_types {
                         $output .= 'checked="checked"';
                     }
                 }
-                $output .= ' name="selfenroll_types_'.$num.'" />'.$usertypes->{$type}.'</label></span></td>';
+                $output .= ' name="selfenroll_types_'.$num.'"'.$disabled.' />'.$usertypes->{$type}.'</label></span></td>';
             }
             $count ++;
         }
@@ -6403,7 +6559,7 @@ sub selfenroll_inst_types {
         } else {
             $output .= ' checked="checked"';
         }
-        $output .= ' name="selfenroll_types_'.$num.'" />'.$othertitle.'</label></span></td></tr></table>';
+        $output .= ' name="selfenroll_types_'.$num.'"'.$disabled.' />'.$othertitle.'</label></span></td></tr></table>';
     }
     return $output;
 }
@@ -6426,7 +6582,7 @@ sub selfenroll_date_forms {
 sub print_userchangelogs_display {
     my ($r,$context,$permission,$brcrum) = @_;
     my $formname = 'rolelog';
-    my ($username,$domain,$crstype,%roleslog);
+    my ($username,$domain,$crstype,$viewablesec,%roleslog);
     if ($context eq 'domain') {
         $domain = $env{'request.role.domain'};
         %roleslog=&Apache::lonnet::dump_dom('nohist_rolelog',$domain);
@@ -6435,6 +6591,7 @@ sub print_userchangelogs_display {
             $domain = $env{'course.'.$env{'request.course.id'}.'.domain'};
             $username = $env{'course.'.$env{'request.course.id'}.'.num'};
             $crstype = &Apache::loncommon::course_type();
+            $viewablesec = &Apache::lonuserutils::viewable_section($permission);
             my %saveable_parameters = ('show' => 'scalar',);
             &Apache::loncommon::store_course_settings('roles_log',
                                                       \%saveable_parameters);
@@ -6566,6 +6723,9 @@ ENDSCRIPT
                 next if ($roleslog{$id}{'logentry'}{'context'} ne $curr{'chgcontext'});
             }
         }
+        if (($context eq 'course') && ($viewablesec ne '')) {
+            next if ($roleslog{$id}{'logentry'}{'section'} ne $viewablesec); 
+        }
         $count ++;
         next if ($count < $minshown);
         unless ($showntableheader) {
@@ -6805,14 +6965,14 @@ ENDSCRIPT
                 $r->rflush();
                 $showntableheader = 1;
             }
-            my ($shown,$extra,);
+            my ($shown,$extra);
             my ($event,$data) = split(/\s+/,&unescape($event));
             if ($event eq 'Role') {
                 my ($rolecode,$extent) = split(/\./,$data,2);
                 next if ($extent eq '');
                 my ($crstype,$desc,$info);
-                if ($extent =~ m{^/($match_domain)/($match_courseid)$}) {
-                    my ($cdom,$cnum) = ($1,$2);
+                if ($extent =~ m{^/($match_domain)/($match_courseid)(?:/(\w+)|)$}) {
+                    my ($cdom,$cnum,$sec) = ($1,$2,$3);
                     my $cid = $cdom.'_'.$cnum;
                     if (exists($courses{$cid})) {
                         $crstype = $courses{$cid}{'type'};
@@ -6831,6 +6991,9 @@ ENDSCRIPT
                         }
                     }
                     $extra = &mt($crstype).': <a href="/public/'.$cdom.'/'.$cnum.'/syllabus">'.$desc.'</a>';
+                    if ($sec ne '') {
+                       $extra .= ' ('.&mt('Section: [_1]',$sec).')';
+                    }
                 } elsif ($extent =~ m{^/($match_domain)/($match_username|$)}) {
                     my ($dom,$name) = ($1,$2);
                     if ($rolecode eq 'au') {