[LON-CAPA-cvs] cvs: loncom /auth roles.tab rolesplain.tab /interface loncreateuser.pm lonmodifycourse.pm lonuserutils.pm /lonnet/perl lonnet.pm

raeburn raeburn at source.lon-capa.org
Mon Apr 29 18:19:46 EDT 2019


raeburn		Mon Apr 29 22:19:46 2019 EDT

  Modified files:              
    /loncom/interface	lonmodifycourse.pm lonuserutils.pm 
                     	loncreateuser.pm 
    /loncom/auth	roles.tab rolesplain.tab 
    /loncom/lonnet/perl	lonnet.pm 
  Log:
  - Support domain configuration which allows a Course Owner to change a 
    student's password, if:
   (a) same domain is used by owner, course, and student
   (b) student has no active or future roles besides student role in courses
       owned by the course owner making the change
   (c) course container is not Community or Placement Test
   (d) owner is course cordinator in the course
   (e) setting to disable this action has not been set for the specific course
  
  
-------------- next part --------------
Index: loncom/interface/lonmodifycourse.pm
diff -u loncom/interface/lonmodifycourse.pm:1.93 loncom/interface/lonmodifycourse.pm:1.94
--- loncom/interface/lonmodifycourse.pm:1.93	Fri Mar 23 01:01:21 2018
+++ loncom/interface/lonmodifycourse.pm	Mon Apr 29 22:19:24 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # handler for DC-only modifiable course settings
 #
-# $Id: lonmodifycourse.pm,v 1.93 2018/03/23 01:01:21 raeburn Exp $
+# $Id: lonmodifycourse.pm,v 1.94 2019/04/29 22:19:24 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -49,6 +49,10 @@
         if (&showcredits($cdom)) {
             push(@items,'defaultcredits');
         }
+        my %passwdconf = &Apache::lonnet::get_passwdconf($cdom);
+        if (($passwdconf{'crsownerchg'}) && ($type ne 'Placement')) {
+            push(@items,'nopasswdchg');
+        }
         return @items;
     }
 }
@@ -101,6 +105,7 @@
         @items = map { 'internal.'.$_; } (@{$internals});
         push(@items,@{$accessdates});
     }
+    push(@items,'internal.nopasswdchg');
     my %settings = &Apache::lonnet::get('environment',\@items,$cdom,$cnum);
     my %enrollvar;
     $enrollvar{'autharg'} = '';
@@ -126,7 +131,7 @@
             } elsif ($type eq "authtype"
                      || $type eq "autharg"    || $type eq "coursecode"
                      || $type eq "crosslistings" || $type eq "selfenrollmgr"
-                     || $type eq "autodropfailsafe") {
+                     || $type eq "autodropfailsafe" || $type eq 'nopasswdchg') {
                 $enrollvar{$type} = $settings{$item};
             } elsif ($type eq 'defaultcredits') {
                 if (&showcredits($cdom)) {
@@ -1033,6 +1038,7 @@
     my @specific_managebydc = split(/,/,$settings{'internal.selfenrollmgrdc'});
     my @specific_managebycc = split(/,/,$settings{'internal.selfenrollmgrcc'});
     my %domdefaults = &Apache::lonnet::get_domain_defaults($cdom);
+    my %passwdconf = &Apache::lonnet::get_passwdconf($cdom);
     my @default_managebydc = split(/,/,$domdefaults{$type.'selfenrolladmdc'});
     if ($crstype eq 'Community') {
         $ccrole = 'co';
@@ -1107,7 +1113,8 @@
     if ($crstype eq 'Community') {
         $r->print(&Apache::lonhtmlcommon::row_title(
                   &Apache::loncommon::help_open_topic('Modify_Community_Owner').
-                  ' '.&mt('Community Owner'))."\n");
+                  ' '.&mt('Community Owner'))."\n".
+                  $ownertable."\n".&Apache::lonhtmlcommon::row_closure());
     } else {
         $r->print(&Apache::lonhtmlcommon::row_title(
                       &Apache::loncommon::help_open_topic('Modify_Course_Instcode').
@@ -1117,7 +1124,7 @@
         if (($crstype eq 'Course') && (&showcredits($cdom))) {
             $r->print(&Apache::lonhtmlcommon::row_title(
                           &Apache::loncommon::help_open_topic('Modify_Course_Credithours').
-                      ' '.&mt('Credits (students)'))."\n".
+                          ' '.&mt('Credits (students)'))."\n".
                       '<input type="text" size="3" name="defaultcredits" value="'.$enrollvar{'defaultcredits'}.'"'.$disabled.' />'.
                       &Apache::lonhtmlcommon::row_closure());
         }
@@ -1127,8 +1134,21 @@
                   $authenitems."\n".
                   &Apache::lonhtmlcommon::row_closure().
                   &Apache::lonhtmlcommon::row_title(
-                  &Apache::loncommon::help_open_topic('Modify_Course_Owner').
-                     ' '.&mt('Course Owner'))."\n");
+                      &Apache::loncommon::help_open_topic('Modify_Course_Owner').
+                      ' '.&mt('Course Owner'))."\n".
+                  $ownertable."\n".&Apache::lonhtmlcommon::row_closure());
+        if (($passwdconf{'crsownerchg'}) && ($type ne 'Placement')) {
+            my $checked;
+            if ($enrollvar{'nopasswdchg'}) {
+                $checked = ' checked="checked"';
+            }
+            $r->print(&Apache::lonhtmlcommon::row_title(
+                         &Apache::loncommon::help_open_topic('Modify_Course_Chgpasswd').
+                         ' '.&mt('Changing passwords (internal)'))."\n".
+                         '<label><input type="checkbox" value="1" name="nopasswdchg"'.$checked.$disabled.' />'.
+                         &mt('Disable changing password for users with student role by course owner').'<label>'."\n".
+                         &Apache::lonhtmlcommon::row_closure());
+        }
     }
     my ($cctitle,$rolename,$currmanages,$ccchecked,$dcchecked,$defaultchecked);
     my ($selfenrollrows,$selfenrolltitles) = &Apache::lonuserutils::get_selfenroll_titles();
@@ -1138,8 +1158,7 @@
         $cctitle = &mt('Course personnel');
     }
 
-    $r->print($ownertable."\n".&Apache::lonhtmlcommon::row_closure().
-              &Apache::lonhtmlcommon::row_title(
+    $r->print(&Apache::lonhtmlcommon::row_title(
               &Apache::loncommon::help_open_topic('Modify_Course_Selfenrolladmin').
                   ' '.&mt('Self-enrollment configuration')).
               &Apache::loncommon::start_data_table()."\n".
@@ -1321,6 +1340,10 @@
         if (&showcredits($cdom)) {  
             push(@items,'internal.defaultcredits');
         }
+        my %passwdconf = &Apache::lonnet::get_passwdconf($cdom);
+        if ($passwdconf{'crsownerchg'}) {
+            push(@items,'internal.nopasswdchg');
+        }
     }
     my %settings = &Apache::lonnet::get('environment',\@items,$cdom,$cnum);
     my $description = $settings{'description'};
@@ -1336,6 +1359,7 @@
     } else {
         %changed = ( code  => 0,
                      owner => 0,
+                     passwd => 0,
                    );
         $ccrole = 'cc';
         unless ($settings{'internal.sectionnums'} eq '') {
@@ -1390,9 +1414,21 @@
             $newattr{'mysqltables'} = $env{'form.mysqltables'};
             $newattr{'mysqltables'} =~ s/\D+//g;
         }
-        if (($type ne 'Placement') && (&showcredits($cdom) && exists($env{'form.defaultcredits'}))) {
-            $newattr{'defaultcredits'}=$env{'form.defaultcredits'};
-            $newattr{'defaultcredits'} =~ s/[^\d\.]//g;
+        if ($type ne 'Placement') {
+            if (&showcredits($cdom) && exists($env{'form.defaultcredits'})) {
+                $newattr{'defaultcredits'}=$env{'form.defaultcredits'};
+                $newattr{'defaultcredits'} =~ s/[^\d\.]//g;
+            }
+            if (grep(/^nopasswdchg$/, at modifiable_params)) {
+                if ($env{'form.nopasswdchg'}) {
+                    $newattr{'nopasswdchg'} = 1;
+                    unless ($currattr{'nopasswdchg'}) {
+                        $changed{'passwd'} = 1;
+                    }
+                } elsif ($currattr{'nopasswdchg'}) {
+                    $changed{'passwd'} = 1;
+                }
+            }
         }
     }
 
@@ -1427,7 +1463,7 @@
         } 
     }
 
-    if ($changed{'owner'} || $changed{'code'}) {
+    if ($changed{'owner'} || $changed{'code'} || $changed{'passwd'}) {
         my %crsinfo = &Apache::lonnet::courseiddump($cdom,'.',1,'.','.',$cnum,
                                                     undef,undef,'.');
         if (ref($crsinfo{$env{'form.pickedcourse'}}) eq 'HASH') {
@@ -1437,9 +1473,16 @@
             if ($changed{'owner'}) {
                 $crsinfo{$env{'form.pickedcourse'}}{'owner'} = $env{'form.courseowner'};
             }
+            if ($changed{'passwd'}) {
+                if ($env{'form.nopasswdchg'}) {
+                    $crsinfo{$env{'form.pickedcourse'}}{'nopasswdchg'} = 1;
+                } else {
+                    delete($crsinfo{'nopasswdchg'});
+                }
+            }
             my $chome = &Apache::lonnet::homeserver($cnum,$cdom);
             my $putres = &Apache::lonnet::courseidput($cdom,\%crsinfo,$chome,'notime');
-            if ($putres eq 'ok') {
+            if (($putres eq 'ok') && (($changed{'owner'} || $changed{'code'}))) {
                 &update_coowners($cdom,$cnum,$chome,\%settings,\%newattr);
             }
         }
@@ -1486,6 +1529,12 @@
                         $shown = &mt('None');
                     } elsif (($attr eq 'mysqltables') && ($shown eq '')) {
                         $shown = &mt('domain default');
+                    } elsif ($attr eq 'nopasswdchg') {
+                        if ($shown) {
+                            $shown = &mt('Yes');
+                        } else {
+                            $shown = &mt('No');
+                        }
                     }
                     $chgresponse .= '<li>'.&mt('[_1] now set to: [_2]',$longtype{$attr},$shown).'</li>';
                 } else {
@@ -1498,6 +1547,12 @@
                         $shown = &mt('None');
                     } elsif (($attr eq 'mysqltables') && ($shown eq '')) {
                         $shown = &mt('domain default');
+                    } elsif ($attr eq 'nopasswdchg') {
+                        if ($shown) {
+                            $shown = &mt('Yes');
+                        } else {
+                            $shown = &mt('No');
+                        }
                     }
                     $nochgresponse .= '<li>'.&mt('[_1] still set to: [_2]',$longtype{$attr},$shown).'</li>';
                 }
@@ -2414,6 +2469,7 @@
                       'selfenrollmgrdc'  => "Course-specific self-enrollment configuration by Domain Coordinator",
                       'selfenrollmgrcc'  => "Course-specific self-enrollment configuration by Course personnel",
                       'mysqltables'      => '"Temporary" student performance tables lifetime (seconds)',
+                      'nopasswdchg' => 'Disable changing password for users with student role by course owner',
          );
     }
     return %longtype;
@@ -2426,7 +2482,8 @@
           'locarg','krbarg','krbver','counter','hidefromcat','usecategory',
           'threshold','postsubmit','postsubtimeout','defaultcredits','uploadquota',
           'selfenrollmgrdc','selfenrollmgrcc','action','state','currsec_st',
-          'sections','newsec','mysqltables'],['^selfenrollmgr_','^selfenroll_'])."\n".
+          'sections','newsec','mysqltables','nopasswdchg'],
+          ['^selfenrollmgr_','^selfenroll_'])."\n".
           '<input type="hidden" name="prevphase" value="'.$env{'form.phase'}.'" />';
     return $hidden_elements;
 }
@@ -2442,6 +2499,7 @@
 sub get_permission {
     my ($dom) = @_;
     my ($allowed,%permission);
+    my %passwdconf = &Apache::lonnet::get_passwdconf($dom);
     if (&Apache::lonnet::allowed('ccc',$dom)) {
         $allowed = 1;
         %permission = (
@@ -2459,6 +2517,9 @@
             selfenroll        => 'edit',
             adhocrole         => 'coord',
         );
+        if ($passwdconf{'crsownerchg'}) {
+            $permission{passwdchg} = 'edit';
+        }
     } elsif (&Apache::lonnet::allowed('rar',$dom)) {
         $allowed = 1;
         %permission = (
@@ -2471,6 +2532,9 @@
             selfenroll    => 'view',
             adhocrole     => 'custom',
         );
+        if ($passwdconf{'crsownerchg'}) {
+            $permission{passwdchg} = 'view';
+        }
     }
     return ($allowed,\%permission);
 }
Index: loncom/interface/lonuserutils.pm
diff -u loncom/interface/lonuserutils.pm:1.194 loncom/interface/lonuserutils.pm:1.195
--- loncom/interface/lonuserutils.pm:1.194	Fri Mar 23 01:01:21 2018
+++ loncom/interface/lonuserutils.pm	Mon Apr 29 22:19:24 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Utility functions for managing LON-CAPA user accounts
 #
-# $Id: lonuserutils.pm,v 1.194 2018/03/23 01:01:21 raeburn Exp $
+# $Id: lonuserutils.pm,v 1.195 2019/04/29 22:19:24 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -5866,6 +5866,51 @@
     return %canmodify;
 }
 
+sub can_change_internalpass {
+    my ($uname,$udom,$crstype,$permission) = @_;
+    my $canchange;
+    if (&Apache::lonnet::allowed('mau',$udom)) {
+        $canchange = 1;
+    } elsif ((ref($permission) eq 'HASH') && ($permission->{'mip'}) &&
+             ($udom eq $env{'request.role.domain'})) {
+        unless ($env{'course.'.$env{'request.course.id'}.'.internal.nopasswdchg'}) {
+            my ($cnum,$cdom) = &get_course_identity();
+            if ((&Apache::lonnet::is_course_owner($cdom,$cnum)) && ($udom eq $env{'user.domain'})) {
+                my $noupdate;
+                my %owned = &Apache::lonnet::courseiddump($cdom,'.',1,'.',
+                                                          $env{'user.name'}.':'.$env{'user.domain'},
+                                                          undef,undef,undef,'.');
+                my %roleshash = &Apache::lonnet::get_my_roles($uname,$udom,'userroles',
+                                                              ['active','future']);
+                foreach my $key (keys(%roleshash)) {
+                    my ($name,$domain,$role) = split(/:/,$key);
+                    if ($role eq 'st') {
+                        next if (($name eq $cnum) && ($domain eq $cdom));
+                        if ($owned{$domain.'_'.$name}) {
+                            if (ref($owned{$domain.'_'.$name}) eq 'HASH') {
+                                if ($owned{$domain.'_'.$name}{'nopasswdchg'}) {
+                                    $noupdate = 1;
+                                    last;
+                                }
+                            }
+                        } else {
+                            $noupdate = 1;
+                            last;
+                        }
+                    } else {
+                        $noupdate = 1;
+                        last;
+                    }
+                }
+                unless ($noupdate) {
+                    $canchange = 1;
+                }
+            }
+        }
+    }
+    return $canchange;
+}
+
 sub check_usertype {
     my ($dom,$uname,$rules,$curr_rules,$got_rules) = @_;
     my $usertype;
@@ -5988,10 +6033,16 @@
             }
         }
         if ($env{'request.course.id'}) {
-            my $user = $env{'user.name'}.':'.$env{'user.domain'};
+            my $user;
+            if (($env{'user.name'} ne '') && ($env{'user.domain'} ne '')) {
+                $user = $env{'user.name'}.':'.$env{'user.domain'};
+            }
             if (($user ne '') && ($env{'course.'.$env{'request.course.id'}.'.internal.courseowner'} eq
                                   $user)) {
                 $permission{'owner'} = 1;
+                if (&Apache::lonnet::allowed('mip',$env{'request.course.id'})) {
+                    $permission{'mip'} = 1;
+                }
             } elsif (($user ne '') && ($env{'course.'.$env{'request.course.id'}.'.internal.co-owners'} ne '')) {
                 if (grep(/^\Q$user\E$/,split(/,/,$env{'course.'.$env{'request.course.id'}.'.internal.co-owners'}))) {
                     $permission{'co-owner'} = 1;
Index: loncom/interface/loncreateuser.pm
diff -u loncom/interface/loncreateuser.pm:1.450 loncom/interface/loncreateuser.pm:1.451
--- loncom/interface/loncreateuser.pm:1.450	Sat Dec  8 18:30:15 2018
+++ loncom/interface/loncreateuser.pm	Mon Apr 29 22:19:24 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Create a user
 #
-# $Id: loncreateuser.pm,v 1.450 2018/12/08 18:30:15 raeburn Exp $
+# $Id: loncreateuser.pm,v 1.451 2019/04/29 22:19:24 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -1511,7 +1511,7 @@
              ($env{'request.role.domain'} eq $ccdomain)) {
             $user_text{'requestauthor'} = &domainrole_req($ccuname,$ccdomain);
         }
-        $user_text{'auth'} =  &user_authentication($ccuname,$ccdomain,$formname);
+        $user_text{'auth'} =  &user_authentication($ccuname,$ccdomain,$formname,$crstype,$permission);
         if ((&Apache::lonnet::allowed('mpq',$ccdomain)) ||
             (&Apache::lonnet::allowed('mut',$ccdomain)) ||
             (&Apache::lonnet::allowed('udp',$ccdomain))) {
@@ -2198,7 +2198,7 @@
 }
 
 sub user_authentication {
-    my ($ccuname,$ccdomain,$formname) = @_;
+    my ($ccuname,$ccdomain,$formname,$crstype,$permission) = @_;
     my $currentauth=&Apache::lonnet::queryauthenticate($ccuname,$ccdomain);
     my $outcome;
     my %lt=&Apache::lonlocal::texthash(
@@ -2271,6 +2271,43 @@
             }
             $outcome .= &Apache::loncommon::end_data_table();
         } else {
+            if (($currentauth =~ /^internal:/) &&
+                (&Apache::lonuserutils::can_change_internalpass($ccuname,$ccdomain,$crstype,$permission))) {
+                $outcome = <<"ENDJS";
+<script type="text/javascript">
+// <![CDATA[
+function togglePwd(form) {
+    if (form.newintpwd.length) {
+        if (document.getElementById('LC_ownersetpwd')) {
+            for (var i=0; i<form.newintpwd.length; i++) {
+                if (form.newintpwd[i].checked) {
+                    if (form.newintpwd[i].value == 1) {
+                        document.getElementById('LC_ownersetpwd').style.display = 'inline-block';
+                    } else {
+                        document.getElementById('LC_ownersetpwd').style.display = 'none';
+                    }
+                }
+            }
+        }
+    }
+}
+// ]]>
+</script>
+ENDJS
+
+                $outcome .= '<h3>'.$lt{'ld'}.'</h3>'.
+                            &Apache::loncommon::start_data_table().
+                            &Apache::loncommon::start_data_table_row().
+                            '<td>'.&mt('Internally authenticated').'<br />'.&mt("Change user's password?").
+                            '<label><input type="radio" name="newintpwd" value="0" checked="checked" onclick="togglePwd(this.form);" />'.
+                            &mt('No').'</label>'.(' 'x2).
+                            '<label><input type="radio" name="newintpwd" value="1" onclick="togglePwd(this.form);" />'.&mt('Yes').'</label>'.
+                            '<div id="LC_ownersetpwd" style="display:none">'.
+                            '  '.&mt('Password').' <input type="password" size="15" name="intarg" value="" />'.
+                            '<label><input type="checkbox" name="visible" onclick="if (this.checked) { this.form.intarg.type='."'text'".' } else { this.form.intarg.type='."'password'".' }" />'.&mt('Visible input').'</label></div></td>'.
+                            &Apache::loncommon::end_data_table_row().
+                            &Apache::loncommon::end_data_table();
+            }
             if (&Apache::lonnet::allowed('udp',$ccdomain)) {
                 # Current user has rights to view domain preferences for user's domain
                 my $result;
@@ -2289,7 +2326,7 @@
                 } elsif ($currentauth =~ /^unix:/) {
                     $result = &mt('Currently Filesystem Authenticated.');
                 } elsif ($currentauth =~ /^lti:/) {
-                    $result = &mt('Currently LTi authenticated.');
+                    $result = &mt('Currently LTI authenticated.');
                 }
                 $outcome = '<h3>'.$lt{'ld'}.'</h3>'.
                            &Apache::loncommon::start_data_table().
@@ -2730,7 +2767,7 @@
 
 # ================================================================= Phase Three
 sub update_user_data {
-    my ($r,$context,$crstype,$brcrum,$showcredits) = @_; 
+    my ($r,$context,$crstype,$brcrum,$showcredits,$permission) = @_; 
     my $uhome=&Apache::lonnet::homeserver($env{'form.ccuname'},
                                           $env{'form.ccdomain'});
     # Error messages
@@ -3020,6 +3057,13 @@
 	    # Okay, this is a non-fatal error.
 	    $r->print($error.&mt('You do not have the authority to modify this users authentication information.').$end);    
 	}
+    } elsif (($env{'form.intarg'} ne '') &&
+             (&Apache::lonnet::queryauthenticate($env{'form.ccuname'},$env{'form.ccdomain'}) =~ /^internal:/) &&
+             (&Apache::lonuserutils::can_change_internalpass($env{'form.ccuname'},$env{'form.ccdomain'},$crstype,$permission))) {
+        $r->print('Modifying authentication: '.
+                  &Apache::lonnet::modifyuserauth(
+                  $env{'form.ccdomain'},$env{'form.ccuname'},
+                  'internal',$env{'form.intarg'}));
     }
     $r->rflush(); # Finish display of header before time consuming actions start
     &Apache::lonhtmlcommon::Increment_PrgWin($r,\%prog_state);
@@ -4928,7 +4972,7 @@
                 &print_useraccesslogs_display($r,$ccuname,$ccdomain,$permission,$brcrum);
             }
         } elsif ($env{'form.phase'} eq 'update_user_data') {
-            &update_user_data($r,$context,$crstype,$brcrum,$showcredits);
+            &update_user_data($r,$context,$crstype,$brcrum,$showcredits,$permission);
         } else {
             &print_username_entry_form($r,$context,undef,$srch,undef,$crstype,
                                        $brcrum,$permission);
Index: loncom/auth/roles.tab
diff -u loncom/auth/roles.tab:1.72 loncom/auth/roles.tab:1.73
--- loncom/auth/roles.tab:1.72	Mon Jan 15 01:17:48 2018
+++ loncom/auth/roles.tab	Mon Apr 29 22:19:35 2019
@@ -2,7 +2,7 @@
 dc:s bre:sma:adv:mcr:srm
 dc:d cli&UIK:cau&UIK:cca&UIK:caa&UIK:cdg&UIK:cdh&UIK:cda&UIK:mau:ccc&U:cco&U:cin&UIK:cta&UIK:cep&UIK:ccr&UIK:cst&UIK:cad&UIK:csc&UIK:dro:mky:psa:usc:mpq:mut:vac:eco&U
 cc:s bre:sma:mcr:vsa:adv:vcl
-cc:c cin&IK:cta&IK:cep&IK:ccr&IK:cst&IK:are:cre:ere:vgr:gan:dcm:evb:srm:dff:opa:mgr:mqg:mgq:rin:pch:plc:mdc:usc:vsa:vcl:mdg:vcg:pav:pfo:whn:las:pac:dch
+cc:c cin&IK:cta&IK:cep&IK:ccr&IK:cst&IK:mip&I:are:cre:ere:vgr:gan:dcm:evb:srm:dff:opa:mgr:mqg:mgq:rin:pch:plc:mdc:usc:vsa:vcl:mdg:vcg:pav:pfo:whn:las:pac:dch
 co:s bro:sma:mcr:vsa:adv:vcl 
 co:c cin&IK:cta&IK:cep&IK:ccr&IK:cst&IK:are:bre:cre:ere:vgr:gan:dcm:evb:srm:dff:opa:mgr:mqg:mgq:rin:pch:plc:mdc:usc:vsa:vcl:mdg:vcg:pav:pfo:whn:las:pac:dch
 in:s sma:vgr:adv
Index: loncom/auth/rolesplain.tab
diff -u loncom/auth/rolesplain.tab:1.52 loncom/auth/rolesplain.tab:1.53
--- loncom/auth/rolesplain.tab:1.52	Fri Sep 29 19:18:14 2017
+++ loncom/auth/rolesplain.tab	Mon Apr 29 22:19:35 2019
@@ -52,6 +52,7 @@
 mky:Manage access keys
 mcr:Create a Course Custom Role:Create a Community Custom Role
 mau:Modify authentication mechanism and data for a user
+mip:Modify password for internally authenticated user
 mpq:Modify disk space allocated to portfolio files for a user
 mut:Set availability of user tools for a user - Personal Information Page, Blog and Portfolio
 udp:View user tools and domain settings
Index: loncom/lonnet/perl/lonnet.pm
diff -u loncom/lonnet/perl/lonnet.pm:1.1408 loncom/lonnet/perl/lonnet.pm:1.1409
--- loncom/lonnet/perl/lonnet.pm:1.1408	Fri Apr 26 20:22:27 2019
+++ loncom/lonnet/perl/lonnet.pm	Mon Apr 29 22:19:45 2019
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # TCP networking package
 #
-# $Id: lonnet.pm,v 1.1408 2019/04/26 20:22:27 raeburn Exp $
+# $Id: lonnet.pm,v 1.1409 2019/04/29 22:19:45 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -8083,8 +8083,22 @@
 
     if ($env{'user.priv.'.$env{'request.role'}.'.'.$courseuri}
        =~/\Q$priv\E\&([^\:]*)/) {
-        unless (($priv eq 'bro') && (!$ownaccess)) {
-            $thisallowed.=$1;
+        if ($priv eq 'mip') {
+            my $rem = $1;
+            if (($uri ne '') && ($env{'request.course.id'} eq $uri) &&
+                ($env{'course.'.$env{'request.course.id'}.'.internal.courseowner'} eq $env{'user.name'}.':'.$env{'user.domain'})) {
+                my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
+                if ($cdom ne '') {
+                    my %passwdconf = &Apache::lonnet::get_passwdconf($cdom);
+                    if ($passwdconf{'crsownerchg'}) {
+                        $thisallowed.=$rem;
+                    }
+                }
+            }
+        } else {
+            unless (($priv eq 'bro') && (!$ownaccess)) {
+                $thisallowed.=$1;
+            }
         }
     }
 
@@ -8173,6 +8187,16 @@
 
     if ($env{'request.course.id'}) {
 
+# If this is modifying password (internal auth) domains must match for user and user's role.
+
+        if ($priv eq 'mip') {
+            if ($env{'user.domain'} eq $env{'request.role.domain'}) {
+                return $thisallowed;
+            } else {
+                return '';
+            }
+        }
+
        $courseprivid=$env{'request.course.id'};
        if ($env{'request.course.sec'}) {
           $courseprivid.='/'.$env{'request.course.sec'};
@@ -10077,7 +10101,22 @@
 sub modifyuserauth {
     my ($udom,$uname,$umode,$upass)=@_;
     my $uhome=&homeserver($uname,$udom);
-    unless (&allowed('mau',$udom)) { return 'refused'; }
+    my $allowed;
+    if (&allowed('mau',$udom)) {
+        $allowed = 1;
+    } elsif (($umode eq 'internal') && ($udom eq $env{'user.domain'}) &&
+             ($env{'request.course.id'}) && (&allowed('mip',$env{'request.course.id'})) &&
+             (!$env{'course.'.$env{'request.course.id'}.'.internal.nopasswdchg'})) {
+        my $cdom = $env{'course.'.$env{'request.course.id'}.'.domain'};
+        my $cnum = $env{'course.'.$env{'request.course.id'}.'.num'};
+        if (($cdom ne '') && ($cnum ne '')) {
+            my $is_owner = &is_course_owner($cdom,$cnum);
+            if ($is_owner) {
+                $allowed = 1;
+            }
+        }
+    }
+    unless ($allowed) { return 'refused'; }
     &logthis('Call to modify user authentication '.$udom.', '.$uname.', '.
              $umode.' by '.$env{'user.name'}.' at '.$env{'user.domain'}.
              ' in domain '.$env{'request.role.domain'});  


More information about the LON-CAPA-cvs mailing list