--- loncom/lonnet/perl/lonnet.pm	2000/10/20 10:57:46	1.47
+++ loncom/lonnet/perl/lonnet.pm	2000/11/28 02:48:25	1.73
@@ -24,6 +24,7 @@
 # revokerole (udom,uname,url,role) : Revoke a role for url
 # revokecustomrole (udom,uname,url,rdom,rnam,rolename) : Revoke a custom role
 # appenv(hash)       : adds hash to session environment
+# delenv(varname)    : deletes all environment entries starting with varname
 # store(hash)        : stores hash permanently for this url
 # cstore(hash)       : critical store
 # restore            : returns hash for this url
@@ -41,8 +42,7 @@
 # directcondval(index) : reading condition value of single condition from 
 #                        state string
 # condval(index)     : value of condition index based on state
-# varval(name)       : value of a variable
-# refreshstate()     : refresh the state information string
+# EXT(name)          : value of a variable
 # symblist(map,hash) : Updates symbolic storage links
 # symbread([filename]) : returns the data handle (filename optional)
 # rndseed()          : returns a random seed  
@@ -52,6 +52,17 @@
 #                          from the directory dir
 # hreflocation(dir,file) : same as filelocation, but for hrefs
 # log(domain,user,home,msg) : write to permanent log for user
+# usection(domain,user,courseid) : output of section name/number or '' for
+#                                  "not in course" and '-1' for "no section"
+# userenvironment(domain,user,what) : puts out any environment parameter 
+#                                     for a user
+# idput(domain,hash) : writes IDs for users from hash (name=>id,name=>id)
+# idget(domain,array): returns hash with usernames (id=>name,id=>name) for
+#                      an array of IDs
+# idrget(domain,array): returns hash with IDs for usernames (name=>id,...) for
+#                       an array of names
+# metadata(file,entry): returns the metadata entry for a file. entry='keys'
+#                       returns a comma separated list of keys
 #
 # 6/1/99,6/2,6/10,6/11,6/12,6/14,6/26,6/28,6/29,6/30,
 # 7/1,7/2,7/9,7/10,7/12,7/14,7/15,7/19,
@@ -66,7 +77,9 @@
 # 08/22,08/28,08/31,09/01,09/02,09/04,09/05,09/25,09/28,09/30 Gerd Kortemeyer
 # 10/04 Gerd Kortemeyer
 # 10/04 Guy Albertelli
-# 10/06,10/09,10/10,10/11,10/14,10/20 Gerd Kortemeyer
+# 10/06,10/09,10/10,10/11,10/14,10/20,10/23,10/25,10/26,10/27,10/28,10/29, 
+# 10/30,10/31,
+# 11/2,11/14,11/15,11/16,11/20,11/21,11/22,11/25,11/27 Gerd Kortemeyer
 
 package Apache::lonnet;
 
@@ -75,10 +88,11 @@ use Apache::File;
 use LWP::UserAgent();
 use HTTP::Headers;
 use vars 
-qw(%perlvar %hostname %homecache %spareid %hostdom %libserv %pr %prp %fe %fd $readit);
+qw(%perlvar %hostname %homecache %spareid %hostdom %libserv %pr %prp %fe %fd $readit %metacache);
 use IO::Socket;
 use GDBM_File;
 use Apache::Constants qw(:common :http);
+use HTML::TokeParser;
 
 # --------------------------------------------------------------------- Logging
 
@@ -121,8 +135,7 @@ sub reply {
     my ($cmd,$server)=@_;
     my $answer=subreply($cmd,$server);
     if ($answer eq 'con_lost') { $answer=subreply($cmd,$server); }
-    if (($answer=~/^error:/) || ($answer=~/^refused/) || 
-        ($answer=~/^rejected/)) {
+    if (($answer=~/^refused/) || ($answer=~/^rejected/)) {
        &logthis("<font color=blue>WARNING:".
                 " $cmd to $server returned $answer</font>");
     }
@@ -249,6 +262,35 @@ sub appenv {
     }
     return 'ok';
 }
+# ----------------------------------------------------- Delete from Environment
+
+sub delenv {
+    my $delthis=shift;
+    my %newenv=();
+    if (($delthis=~/user\.role/) || ($delthis=~/user\.priv/)) {
+        &logthis("<font color=blue>WARNING: ".
+                "Attempt to delete from environment ".$delthis);
+        return 'error';
+    }
+    my @oldenv;
+    {
+     my $fh;
+     unless ($fh=Apache::File->new("$ENV{'user.environment'}")) {
+	return 'error';
+     }
+     @oldenv=<$fh>;
+    }
+    {
+     my $fh;
+     unless ($fh=Apache::File->new(">$ENV{'user.environment'}")) {
+	return 'error';
+     }
+     map {
+	 unless ($_=~/^$delthis/) { print $fh $_; }
+     } @oldenv;
+    }
+    return 'ok';
+}
 
 # ------------------------------ Find server with least workload from spare.tab
 
@@ -327,6 +369,111 @@ sub homeserver {
     return 'no_host';
 }
 
+# ------------------------------------- Find the usernames behind a list of IDs
+
+sub idget {
+    my ($udom,@ids)=@_;
+    my %returnhash=();
+    
+    my $tryserver;
+    foreach $tryserver (keys %libserv) {
+       if ($hostdom{$tryserver} eq $udom) {
+	  my $idlist=join('&',@ids);
+          $idlist=~tr/A-Z/a-z/; 
+	  my $reply=&reply("idget:$udom:".$idlist,$tryserver);
+          my @answer=();
+          if ($reply ne 'con_lost') {
+	      @answer=split(/\&/,$reply);
+          }                    ;
+          my $i;
+          for ($i=0;$i<=$#ids;$i++) {
+              if ($answer[$i]) {
+		  $returnhash{$ids[$i]}=$answer[$i];
+              } 
+          }
+       }
+    }    
+    return %returnhash;
+}
+
+# ------------------------------------- Find the IDs behind a list of usernames
+
+sub idrget {
+    my ($udom,@unames)=@_;
+    my %returnhash=();
+    map {
+        $returnhash{$_}=(&userenvironment($udom,$_,'id'))[1];
+    } @unames;
+    return %returnhash;
+}
+
+# ------------------------------- Store away a list of names and associated IDs
+
+sub idput {
+    my ($udom,%ids)=@_;
+    my %servers=();
+    map {
+        my $uhom=&homeserver($_,$udom);
+        if ($uhom ne 'no_host') {
+            my $id=&escape($ids{$_});
+            $id=~tr/A-Z/a-z/;
+            my $unam=&escape($_);
+	    if ($servers{$uhom}) {
+		$servers{$uhom}.='&'.$id.'='.$unam;
+            } else {
+                $servers{$uhom}=$id.'='.$unam;
+            }
+            &critical('put:'.$udom.':'.$unam.':environment:id='.$id,$uhom);
+        }
+    } keys %ids;
+    map {
+        &critical('idput:'.$udom.':'.$servers{$_},$_);
+    } keys %servers;
+}
+
+# ------------------------------------- Find the section of student in a course
+
+sub usection {
+    my ($udom,$unam,$courseid)=@_;
+    $courseid=~s/\_/\//g;
+    $courseid=~s/^(\w)/\/$1/;
+    map {
+        my ($key,$value)=split(/\=/,$_);
+        $key=&unescape($key);
+        if ($key=~/^$courseid(?:\/)*(\w+)*\_st$/) {
+            my $section=$1;
+            if ($key eq $courseid.'_st') { $section=''; }
+	    my ($dummy,$end,$start)=split(/\_/,&unescape($value));
+            my $now=time;
+            my $notactive=0;
+            if ($start) {
+		if ($now<$start) { $notactive=1; }
+            }
+            if ($end) {
+                if ($now>$end) { $notactive=1; }
+            } 
+            unless ($notactive) { return $section; }
+        }
+    } split(/\&/,&reply('dump:'.$udom.':'.$unam.':roles',
+                        &homeserver($unam,$udom)));
+    return '-1';
+}
+
+# ------------------------------------- Read an entry from a user's environment
+
+sub userenvironment {
+    my ($udom,$unam,@what)=@_;
+    my %returnhash=();
+    my @answer=split(/\&/,
+                &reply('get:'.$udom.':'.$unam.':environment:'.join('&',@what),
+                      &homeserver($unam,$udom)));
+    my $i;
+    for ($i=0;$i<=$#what;$i++) {
+	$returnhash{$what[$i]}=&unescape($answer[$i]);
+    }
+    return %returnhash;
+}
+
 # ----------------------------- Subscribe to a resource, return URL if possible
 
 sub subscribe {
@@ -339,6 +486,9 @@ sub subscribe {
         return 'not_found'; 
     }
     my $answer=reply("sub:$fname",$home);
+    if (($answer eq 'con_lost') || ($answer eq 'rejected')) {
+	$answer.=' by '.$home;
+    }
     return $answer;
 }
     
@@ -350,14 +500,14 @@ sub repcopy {
     my $transname="$filename.in.transfer";
     if ((-e $filename) || (-e $transname)) { return OK; }
     my $remoteurl=subscribe($filename);
-    if ($remoteurl eq 'con_lost') {
-	   &logthis("Subscribe returned con_lost: $filename");
+    if ($remoteurl =~ /^con_lost by/) {
+	   &logthis("Subscribe returned $remoteurl: $filename");
            return HTTP_SERVICE_UNAVAILABLE;
     } elsif ($remoteurl eq 'not_found') {
 	   &logthis("Subscribe returned not_found: $filename");
 	   return HTTP_NOT_FOUND;
-    } elsif ($remoteurl eq 'rejected') {
-	   &logthis("Subscribe returned rejected: $filename");
+    } elsif ($remoteurl =~ /^rejected by/) {
+	   &logthis("Subscribe returned $remoteurl: $filename");
            return FORBIDDEN;
     } elsif ($remoteurl eq 'directory') {
            return OK;
@@ -492,12 +642,15 @@ sub restore {
 sub coursedescription {
     my $courseid=shift;
     $courseid=~s/^\///;
+    $courseid=~s/\_/\//g;
     my ($cdomain,$cnum)=split(/\//,$courseid);
     my $chome=homeserver($cnum,$cdomain);
     if ($chome ne 'no_host') {
        my $rep=reply("dump:$cdomain:$cnum:environment",$chome);
        if ($rep ne 'con_lost') {
-	   my %cachehash=();
+           my $normalid=$courseid;
+           $normalid=~s/\//\_/g;
+           my %envhash=();
            my %returnhash=('home'   => $chome, 
                            'domain' => $cdomain,
                            'num'    => $cnum);
@@ -506,14 +659,16 @@ sub coursedescription {
                $name=&unescape($name);
                $value=&unescape($value);
                $returnhash{$name}=$value;
-               if ($name eq 'description') {
-		   $cachehash{$courseid}=$value;
-               }
+               $envhash{'course.'.$normalid.'.'.$name}=$value;
            } split(/\&/,$rep);
            $returnhash{'url'}='/res/'.declutter($returnhash{'url'});
            $returnhash{'fn'}=$perlvar{'lonDaemons'}.'/tmp/'.
 	       $ENV{'user.name'}.'_'.$cdomain.'_'.$cnum;
-	   put ('coursedescriptions',%cachehash);
+           $envhash{'course.'.$normalid.'.last_cache'}=time;
+           $envhash{'course.'.$normalid.'.home'}=$chome;
+           $envhash{'course.'.$normalid.'.domain'}=$cdomain;
+           $envhash{'course.'.$normalid.'.num'}=$cnum;
+           &appenv(%envhash);
            return %returnhash;
        }
     }
@@ -551,6 +706,7 @@ sub rolesinit {
                 }
             }
             if (($area ne '') && ($trole ne '')) {
+	       my $spec=$trole.'.'.$area;
                my ($tdummy,$tdomain,$trest)=split(/\//,$area);
                if ($trole =~ /^cr\//) {
 		   my ($rdummy,$rdomain,$rauthor,$rrole)=split(/\//,$trole);
@@ -562,21 +718,27 @@ sub rolesinit {
                       if (($roledef ne 'con_lost') && ($roledef ne '')) {
                          my ($syspriv,$dompriv,$coursepriv)=
 			     split(/\_/,unescape($roledef));
- 	                 $allroles{'/'}.=':'.$syspriv;
+ 	                 $allroles{'cm./'}.=':'.$syspriv;
+                         $allroles{$spec.'./'}.=':'.$syspriv;
                          if ($tdomain ne '') {
-                             $allroles{'/'.$tdomain.'/'}.=':'.$dompriv;
+                             $allroles{'cm./'.$tdomain.'/'}.=':'.$dompriv;
+                             $allroles{$spec.'./'.$tdomain.'/'}.=':'.$dompriv;
                              if ($trest ne '') {
-		                $allroles{$area}.=':'.$coursepriv;
+		                $allroles{'cm.'.$area}.=':'.$coursepriv;
+		                $allroles{$spec.'.'.$area}.=':'.$coursepriv;
                              }
 	                 }
                       }
                    }
                } else {
-	           $allroles{'/'}.=':'.$pr{$trole.':s'};
+	           $allroles{'cm./'}.=':'.$pr{$trole.':s'};
+	           $allroles{$spec.'./'}.=':'.$pr{$trole.':s'};
                    if ($tdomain ne '') {
-                      $allroles{'/'.$tdomain.'/'}.=':'.$pr{$trole.':d'};
+                     $allroles{'cm./'.$tdomain.'/'}.=':'.$pr{$trole.':d'};
+                     $allroles{$spec.'./'.$tdomain.'/'}.=':'.$pr{$trole.':d'};
                       if ($trest ne '') {
-		          $allroles{$area}.=':'.$pr{$trole.':c'};
+		          $allroles{'cm.'.$area}.=':'.$pr{$trole.':c'};
+		          $allroles{$spec.'.'.$area}.=':'.$pr{$trole.':c'};
                       }
 	           }
 	       }
@@ -706,111 +868,227 @@ sub eget {
 
 sub allowed {
     my ($priv,$uri)=@_;
-    $uri=~s/^\/res//;
-    $uri=~s/^\///;
+    $uri=&declutter($uri);
 
-# Free bre access to adm resources
+# Free bre access to adm and meta resources
 
-    if (($uri=~/^adm\//) && ($priv eq 'bre')) {
+    if ((($uri=~/^adm\//) || ($uri=~/\.meta$/)) && ($priv eq 'bre')) {
 	return 'F';
     }
 
-# Gather priviledges over system and domain
-
     my $thisallowed='';
-    if ($ENV{'user.priv./'}=~/$priv\&([^\:]*)/) {
+    my $statecond=0;
+    my $courseprivid='';
+
+# Course
+
+    if ($ENV{'user.priv.'.$ENV{'request.role'}.'./'}=~/$priv\&([^\:]*)/) {
+       $thisallowed.=$1;
+    }
+
+# Domain
+
+    if ($ENV{'user.priv.'.$ENV{'request.role'}.'./'.(split(/\//,$uri))[0].'/'}
+       =~/$priv\&([^\:]*)/) {
        $thisallowed.=$1;
     }
-    if ($ENV{'user.priv./'.(split(/\//,$uri))[0].'/'}=~/$priv\&([^\:]*)/) {
+
+# Course: uri itself is a course
+    my $courseuri=$uri;
+    $courseuri=~s/\_(\d)/\/$1/;
+    if ($ENV{'user.priv.'.$ENV{'request.role'}.'./'.$courseuri}
+       =~/$priv\&([^\:]*)/) {
        $thisallowed.=$1;
     }
 
-# Full access at system or domain level? Exit.
+# Full access at system, domain or course-wide level? Exit.
 
     if ($thisallowed=~/F/) {
 	return 'F';
     }
 
-# The user does not have full access at system or domain level
-# Course level access control
+# If this is generating or modifying users, exit with special codes
 
-# uri itself refering to a course?
-    
-    if ($uri=~/\.course$/) {
-       if ($ENV{'user.priv./'.$uri}=~/$priv\&([^\:]*)/) {
-          $thisallowed.=$1;
+    if (':csu:cdc:ccc:cin:cta:cep:ccr:cst:cad:cli:cau:cdg:'=~/\:$priv\:/) {
+	return $thisallowed;
+    }
+#
+# Gathered so far: system, domain and course wide priviledges
+#
+# Course: See if uri or referer is an individual resource that is part of 
+# the course
+
+    if ($ENV{'request.course.id'}) {
+       $courseprivid=$ENV{'request.course.id'};
+       if ($ENV{'request.course.sec'}) {
+          $courseprivid.='/'.$ENV{'request.course.sec'};
        }
-# Full access on course level? Exit.
-       if ($thisallowed=~/F/) {
-	  return 'F';
+       $courseprivid=~s/\_/\//;
+       my $checkreferer=1;
+       my @uriparts=split(/\//,$uri);
+       my $filename=$uriparts[$#uriparts];
+       my $pathname=$uri;
+       $pathname=~s/\/$filename$//;
+       if ($ENV{'acc.res.'.$ENV{'request.course.id'}.'.'.$pathname}=~
+           /\&$filename\:([\d\|]+)\&/) {
+           $statecond=$1;
+           if ($ENV{'user.priv.'.$ENV{'request.role'}.'./'.$courseprivid}
+               =~/$priv\&([^\:]*)/) {
+               $thisallowed.=$1;
+               $checkreferer=0;
+           }
        }
 
-# uri is refering to an individual resource; user needs to be in a course
+       if (($ENV{'HTTP_REFERER'}) && ($checkreferer)) {
+	  my $refuri=$ENV{'HTTP_REFERER'};
+          $refuri=~s/^http\:\/\/$ENV{'request.host'}//i;
+          $refuri=&declutter($refuri);
+          my @uriparts=split(/\//,$refuri);
+          my $filename=$uriparts[$#uriparts];
+          my $pathname=$refuri;
+          $pathname=~s/\/$filename$//;
+          my @filenameparts=split(/\./,$uri);
+          if (&fileembstyle($filenameparts[$#filenameparts]) ne 'ssi') {
+            if ($ENV{'acc.res.'.$ENV{'request.course.id'}.'.'.$pathname}=~
+              /\&$filename\:([\d\|]+)\&/) {
+              my $refstatecond=$1;
+              if ($ENV{'user.priv.'.$ENV{'request.role'}.'./'.$courseprivid}
+                  =~/$priv\&([^\:]*)/) {
+                  $thisallowed.=$1;
+                  $uri=$refuri;
+                  $statecond=$refstatecond;
+              }
+            }
+          }
+       }
+   }
 
-   } else {
+#
+# Gathered now: all priviledges that could apply, and condition number
+# 
+#
+# Full or no access?
+#
 
-       unless(defined($ENV{'request.course.id'})) {
-	   return '1';
-       }
+    if ($thisallowed=~/F/) {
+	return 'F';
+    }
 
-# Get access priviledges for course
+    unless ($thisallowed) {
+        return '';
+    }
 
-       if ($ENV{'user.priv./'.$ENV{'request.course.id'}}=~/$priv\&([^\:]*)/) {
-          $thisallowed.=$1;
-       }
+# Restrictions exist, deal with them
+#
+#   C:according to course preferences
+#   R:according to resource settings
+#   L:unless locked
+#   X:according to user session state
+#
 
-# See if resource or referer is part of this course
-          
-       my @uriparts=split(/\//,$uri);
-       my $urifile=$uriparts[$#uriparts];
-       $urifile=~/\.(\w+)$/;
-       my $uritype=$1;
-       $#uriparts--;
-       my $uripath=join('/',@uriparts);
-       my $uricond=-1;
-       if ($ENV{'acc.res.'.$ENV{'request.course.id'}.'.'.$uripath}=~
-	   /\&$urifile\:(\d+)\&/) {
-	   $uricond=$1;
-       } elsif (($fe{$uritype} eq 'emb') || ($fe{$uritype} eq 'img')) {
-	  my $refuri=$ENV{'HTTP_REFERER'};
-          $refuri=~s/^\/res//;
-          $refuri=~s/^\///;
-          @uriparts=split(/\//,$refuri);
-          $urifile=$uriparts[$#uriparts];
-          $#uriparts--;
-          $uripath=join('/',@uriparts);
-          if ($ENV{'acc.res.'.$ENV{'request.course.id'}.'.'.$uripath}=~
-	     /\&$urifile\:(\d+)\&/) {
-	     $uricond=$1;
-	  }
+# Possibly locked functionality, check all courses
+# Locks might take effect only after 10 minutes cache expiration for other
+# courses, and 2 minutes for current course
+
+    my $envkey;
+    if ($thisallowed=~/L/) {
+        foreach $envkey (keys %ENV) {
+           if ($envkey=~/^user\.role\.(st|ta)\.([^\.]*)/) {
+               my $courseid=$2;
+               my $roleid=$1.'.'.$2;
+               my $expiretime=600;
+               if ($ENV{'request.role'} eq $roleid) {
+		  $expiretime=120;
+               }
+	       my ($cdom,$cnum,$csec)=split(/\//,$courseid);
+               my $prefix='course.'.$cdom.'_'.$cnum.'.';
+               if ((time-$ENV{$prefix.'last_cache'})>$expiretime) {
+		   &coursedescription($courseid);
+               }
+               if (($ENV{$prefix.'res.'.$uri.'.lock.sections'}=~/\,$csec\,/)
+                || ($ENV{$prefix.'res.'.$uri.'.lock.sections'} eq 'all')) {
+		   if ($ENV{$prefix.'res.'.$uri.'.lock.expire'}>time) {
+                       &log($ENV{'user.domain'},$ENV{'user.name'},
+                            $ENV{'user.host'},
+                            'Locked by res: '.$priv.' for '.$uri.' due to '.
+                            $cdom.'/'.$cnum.'/'.$csec.' expire '.
+                            $ENV{$prefix.'priv.'.$priv.'.lock.expire'});
+		       return '';
+                   }
+               }
+               if (($ENV{$prefix.'priv.'.$priv.'.lock.sections'}=~/\,$csec\,/)
+                || ($ENV{$prefix.'priv.'.$priv.'.lock.sections'} eq 'all')) {
+		   if ($ENV{'priv.'.$priv.'.lock.expire'}>time) {
+                       &log($ENV{'user.domain'},$ENV{'user.name'},
+                            $ENV{'user.host'},
+                            'Locked by priv: '.$priv.' for '.$uri.' due to '.
+                            $cdom.'/'.$cnum.'/'.$csec.' expire '.
+                            $ENV{$prefix.'priv.'.$priv.'.lock.expire'});
+		       return '';
+                   }
+               }
+	   }
        }
+    }
+   
+#
+# Rest of the restrictions depend on selected course
+#
 
-       if ($uricond>=0) {
+    unless ($ENV{'request.course.id'}) {
+       return '1';
+    }
 
-# The resource is part of the course
-# If user had full access on course level, go ahead
+#
+# Now user is definitely in a course
+#
 
-           if ($thisallowed=~/F/) {
-	       return 'F';
-           }
 
-# Restricted by state?
+# Course preferences
 
-           if ($thisallowed=~/X/) {
-	      if (&condval($uricond)) {
-	         return '2';
-              } else {
-                 return '';
-              }
+   if ($thisallowed=~/C/) {
+       my $rolecode=(split(/\./,$ENV{'request.role'}))[0];
+       if ($ENV{'course.'.$ENV{'request.course.id'}.'.'.$priv.'.roles.denied'}
+	   =~/\,$rolecode\,/) {
+           &log($ENV{'user.domain'},$ENV{'user.name'},$ENV{'user.host'},
+                'Denied by role: '.$priv.' for '.$uri.' as '.$rolecode.' in '.
+                $ENV{'request.course.id'});
+           return '';
+       }
+   }
+
+# Resource preferences
+
+   if ($thisallowed=~/R/) {
+       my $rolecode=(split(/\./,$ENV{'request.role'}))[0];
+       my $filename=$perlvar{'lonDocRoot'}.'/res/'.$uri.'.meta';
+       if (-e $filename) {
+           my @content;
+           {
+	     my $fh=Apache::File->new($filename);
+             @content=<$fh>;
 	   }
+           if (join('',@content)=~
+                    /\<roledeny[^\>]*\>[^\<]*$rolecode[^\<]*\<\/roledeny\>/) {
+	       &log($ENV{'user.domain'},$ENV{'user.name'},$ENV{'user.host'},
+                    'Denied by role: '.$priv.' for '.$uri.' as '.$rolecode);
+           return '';
+
+           }
        }
-    }
-    return $thisallowed;
-}
+   }
+
+# Restricted by state?
 
-# ---------------------------------------------------------- Refresh State Info
+   if ($thisallowed=~/X/) {
+      if (&condval($statecond)) {
+	 return '2';
+      } else {
+         return '';
+      }
+   }
 
-sub refreshstate {
+   return 'F';
 }
 
 # ----------------------------------------------------------------- Define Role
@@ -992,8 +1270,16 @@ sub directcondval {
 sub condval {
     my $condidx=shift;
     my $result=0;
+    my $allpathcond='';
+    map {
+       if (defined($ENV{'acc.cond.'.$ENV{'request.course.id'}.'.'.$_})) {
+	   $allpathcond.=
+               '('.$ENV{'acc.cond.'.$ENV{'request.course.id'}.'.'.$_}.')|';
+       }
+    } split(/\|/,$condidx);
+    $allpathcond=~s/\|$//;
     if ($ENV{'request.course.id'}) {
-       if (defined($ENV{'acc.cond.'.$ENV{'request.course.id'}.'.'.$condidx})) {
+       if ($allpathcond) {
           my $operand='|';
 	  my @stack;
           map {
@@ -1016,8 +1302,7 @@ sub condval {
                      $result=$result>$new?$result:$new;
                   }                  
               }
-          } ($ENV{'acc.cond.'.$ENV{'request.course.id'}.'.'.$condidx}=~
-             /(\d+|\(|\)|\&|\|)/g);
+          } ($allpathcond=~/(\d+|\(|\)|\&|\|)/g);
        }
     }
     return $result;
@@ -1025,21 +1310,203 @@ sub condval {
 
 # --------------------------------------------------------- Value of a Variable
 
-sub varval {
-    my ($realm,$space,@components)=split(/\./,shift);
-    my $value='';
+sub EXT {
+    my $varname=shift;
+    unless ($varname) { return ''; }
+    my ($realm,$space,$qualifier,@therest)=split(/\./,$varname);
+    my $rest;
+    if ($therest[0]) {
+       $rest=join('.',@therest);
+    } else {
+       $rest='';
+    }
+    my $qualifierrest=$qualifier;
+    if ($rest) { $qualifierrest.='.'.$rest; }
+    my $spacequalifierrest=$space;
+    if ($qualifierrest) { $spacequalifierrest.='.'.$qualifierrest; }
     if ($realm eq 'user') {
-	if ($space=~/^resource/) {
-	    $space=~s/^resource\[//;
-            $space=~s/\]$//;
-
+# --------------------------------------------------------------- user.resource
+	if ($space eq 'resource') {
+	    my %restored=&restore;
+            return $restored{$qualifierrest};
+# ----------------------------------------------------------------- user.access
+        } elsif ($space eq 'access') {
+            return &allowed($qualifier,$rest);
+# ------------------------------------------ user.preferences, user.environment
+        } elsif (($space eq 'preferences') || ($space eq 'environment')) {
+            return $ENV{join('.',('environment',$qualifierrest))};
+# ----------------------------------------------------------------- user.course
+        } elsif ($space eq 'course') {
+            return $ENV{join('.',('request.course',$qualifier))};
+# ------------------------------------------------------------------- user.role
+        } elsif ($space eq 'role') {
+            my ($role,$where)=split(/\./,$ENV{'request.role'});
+            if ($qualifier eq 'value') {
+		return $role;
+            } elsif ($qualifier eq 'extent') {
+                return $where;
+            }
+# ----------------------------------------------------------------- user.domain
+        } elsif ($space eq 'domain') {
+            return $ENV{'user.domain'};
+# ------------------------------------------------------------------- user.name
+        } elsif ($space eq 'name') {
+            return $ENV{'user.name'};
+# ---------------------------------------------------- Any other user namespace
+        } else {
+            my $item=($rest)?$qualifier.'.'.$rest:$qualifier;
+            my %reply=&get($space,$item);
+            return $reply{$item};
+        }
+    } elsif ($realm eq 'request') {
+# ------------------------------------------------------------- request.browser
+        if ($space eq 'browser') {
+	    return $ENV{'browser.'.$qualifier};
+# ------------------------------------------------------------ request.filename
         } else {
+            return $ENV{'request.'.$spacequalifierrest};
         }
     } elsif ($realm eq 'course') {
-    } elsif ($realm eq 'session') {
+# ---------------------------------------------------------- course.description
+        my $section='';
+        if ($ENV{'request.course.sec'}) {
+	    $section='_'.$ENV{'request.course.sec'};
+        }
+        return $ENV{'course.'.$ENV{'request.course.id'}.$section.'.'.
+                              $spacequalifierrest};
+    } elsif ($realm eq 'resource') {
+      if ($ENV{'request.course.id'}) {
+# ----------------------------------------------------- Cascading lookup scheme
+       my $symbp=&symbread();
+       my $mapp=(split(/\_\_\_/,$symbp))[0];
+
+       my $symbparm=$symbp.'.'.$spacequalifierrest;
+       my $mapparm=$mapp.'___(all).'.$spacequalifierrest;
+
+       my $seclevel=
+            $ENV{'request.course.id'}.'.['.
+		$ENV{'request.course.sec'}.'].'.$spacequalifierrest;
+       my $seclevelr=
+            $ENV{'request.course.id'}.'.['.
+		$ENV{'request.course.sec'}.'].'.$symbparm;
+       my $seclevelm=
+            $ENV{'request.course.id'}.'.['.
+		$ENV{'request.course.sec'}.'].'.$mapparm;
+
+       my $courselevel=
+            $ENV{'request.course.id'}.'.'.$spacequalifierrest;
+       my $courselevelr=
+            $ENV{'request.course.id'}.'.'.$symbparm;
+       my $courselevelm=
+            $ENV{'request.course.id'}.'.'.$mapparm;
+
+
+# ----------------------------------------------------------- first, check user
+      my %resourcedata=get('resourcedata',
+                           ($courselevelr,$courselevelm,$courselevel));
+      if ($resourcedata{$courselevelr}!~/^error\:/) {
+
+       if ($resourcedata{$courselevelr}) { 
+          return $resourcedata{$courselevelr}; }
+       if ($resourcedata{$courselevelm}) { 
+          return $resourcedata{$courselevelm}; }
+       if ($resourcedata{$courselevel}) { return $resourcedata{$courselevel}; }
+
+      }
+# -------------------------------------------------------- second, check course
+        my $section='';
+        if ($ENV{'request.course.sec'}) {
+	    $section='_'.$ENV{'request.course.sec'};
+        }
+        my $reply=&reply('get:'.
+              $ENV{'course.'.$ENV{'request.course.id'}.$section.'.domain'}.':'.
+              $ENV{'course.'.$ENV{'request.course.id'}.$section.'.num'}.
+              ':resourcedata:'.
+ escape($seclevelr).':'.escape($seclevelm).':'.escape($seclevel).':'.
+ escape($courselevelr).':'.escape($courselevelm).':'.escape($courselevel),
+		   $ENV{'course.'.$ENV{'request.course.id'}.$section.'.home'});
+      if ($reply!~/^error\:/) {
+        map {
+           my ($name,$value)=split(/\=/,$_);
+           $resourcedata{unescape($name)}=unescape($value);  
+        } split(/\&/,$reply);
+
+       if ($resourcedata{$seclevelr}) { return $resourcedata{$seclevelr}; }
+       if ($resourcedata{$seclevelm}) { return $resourcedata{$seclevelm}; }  
+       if ($resourcedata{$seclevel}) { return $resourcedata{$seclevel}; }
+
+       if ($resourcedata{$courselevelr}) { 
+          return $resourcedata{$courselevelr}; }
+       if ($resourcedata{$courselevelm}) { 
+          return $resourcedata{$courselevelm}; }
+       if ($resourcedata{$courselevel}) { return $resourcedata{$courselevel}; }
+
+      }
+
+# ------------------------------------------------------ third, check map parms
+       my %parmhash=();
+       my $thisparm='';       
+       if (tie(%parmhash,'GDBM_File',
+          $ENV{'request.course.fn'}.'_parms.db',&GDBM_READER,0640)) {
+           $thisparm=$parmhash{$symbparm};
+	   untie(%parmhash);
+       }
+       if ($thisparm) { return $thisparm; }
+     }
+     
+# --------------------------------------------- last, look in resource metadata
+
+      my $metadata=&metadata($ENV{'request.filename'},$spacequalifierrest);
+      if ($metadata) { return $metadata; }
+
+# ---------------------------------------------------- Any other user namespace
+    } elsif ($realm eq 'environment') {
+# ----------------------------------------------------------------- environment
+        return $ENV{$spacequalifierrest};
     } elsif ($realm eq 'system') {
+# ----------------------------------------------------------------- system.time
+	if ($space eq 'time') {
+	    return time;
+        }
     }
-    return $value;
+    return '';
+}
+
+# ---------------------------------------------------------------- Get metadata
+
+sub metadata {
+    my ($uri,$what)=@_;
+    $uri=&declutter($uri);
+    my $filename=$uri;
+    $uri=~s/\.meta$//;
+    unless ($metacache{$uri.':keys'}) {
+        unless ($filename=~/\.meta$/) { $filename.='.meta'; }
+	my $metastring=&getfile($perlvar{'lonDocRoot'}.'/res/'.$filename);
+        my $parser=HTML::TokeParser->new(\$metastring);
+        my $token;
+        while ($token=$parser->get_token) {
+           if ($token->[0] eq 'S') {
+	      my $entry=$token->[1];
+              my $unikey=$entry;
+              if (defined($token->[2]->{'part'})) { 
+                 $unikey.='_'.$token->[2]->{'part'}; 
+	      }
+              if (defined($token->[2]->{'name'})) { 
+                 $unikey.='_'.$token->[2]->{'name'}; 
+	      }
+              if ($metacache{$uri.':keys'}) {
+                 $metacache{$uri.':keys'}.=','.$unikey;
+              } else {
+                 $metacache{$uri.':keys'}=$unikey;
+	      }
+              map {
+		  $metacache{$uri.':'.$unikey.'.'.$_}=$token->[2]->{$_};
+              } @{$token->[3]};
+              $metacache{$uri.':'.$unikey}=$parser->get_text('/'.$entry);
+          }
+       }
+    }
+    return $metacache{$uri.':'.$what};
 }
 
 # ------------------------------------------------- Update symbolic store links
@@ -1094,6 +1561,9 @@ sub symbread {
                             &GDBM_READER,0640)) {
 # ---------------------------------------------- Get ID(s) for current resource
               my $ids=$bighash{'ids_/res/'.$thisfn};
+              unless ($ids) { 
+                 $ids=$bighash{'ids_/'.$thisfn};
+              }
               if ($ids) {
 # ------------------------------------------------------------------- Has ID(s)
                  my @possibilities=split(/\,/,$ids);
@@ -1121,7 +1591,9 @@ sub symbread {
               untie(%bighash)
            } 
         }
-        if ($syval) { return $syval.'___'.$thisfn; }
+        if ($syval) {
+           return $syval.'___'.$thisfn; 
+        }
     }
     &appenv('request.ambiguous' => $thisfn);
     return '';
@@ -1172,12 +1644,17 @@ sub filelocation {
   my ($dir,$file) = @_;
   my $location;
   $file=~ s/^\s*(\S+)\s*$/$1/; ## strip off leading and trailing spaces
-  $file=~s/^$perlvar{'lonDocRoot'}//;
-  $file=~s:^/*res::;
-  if ( !( $file =~ m:^/:) ) {
-    $location = $dir. '/'.$file;
+  if ($file=~m:^/~:) { # is a contruction space reference
+    $location = $file;
+    $location =~ s:/~(.*?)/(.*):/home/$1/public_html/$2:;
   } else {
-    $location = '/home/httpd/html/res'.$file;
+    $file=~s/^$perlvar{'lonDocRoot'}//;
+    $file=~s:^/*res::;
+    if ( !( $file =~ m:^/:) ) {
+      $location = $dir. '/'.$file;
+    } else {
+      $location = '/home/httpd/html/res'.$file;
+    }
   }
   $location=~s://+:/:g; # remove duplicate /
   while ($location=~m:/\.\./:) {$location=~ s:/[^/]+/\.\./:/:g;} #remove dir/..
@@ -1297,6 +1774,7 @@ if ($readit ne 'done') {
     }
 }
 
+%metacache=();
 
 $readit='done';
 &logthis('<font color=yellow>INFO: Read configuration</font>');