From 6f8972743e9430a8657ec91d0c3fa1a12281b061 Mon Sep 17 00:00:00 2001
From: JT Smith <jt@plainblack.com>
Date: Sun, 25 May 2003 01:37:27 +0000
Subject: [PATCH] Added secondary security.

---
 docs/upgrades/upgrade_5.2.6-5.3.0.sql |   7 ++
 lib/WebGUI/Grouping.pm                |  35 ++++++
 lib/WebGUI/Macro/AdminBar.pm          |  10 +-
 lib/WebGUI/Operation/Account.pm       |   3 +-
 lib/WebGUI/Operation/Group.pm         | 158 +++++++++++++++++++++++---
 lib/WebGUI/Operation/User.pm          | 108 +++++++++++++-----
 6 files changed, 275 insertions(+), 46 deletions(-)

diff --git a/docs/upgrades/upgrade_5.2.6-5.3.0.sql b/docs/upgrades/upgrade_5.2.6-5.3.0.sql
index 02a057757..90e3c9b11 100644
--- a/docs/upgrades/upgrade_5.2.6-5.3.0.sql
+++ b/docs/upgrades/upgrade_5.2.6-5.3.0.sql
@@ -575,6 +575,13 @@ delete from international where languageId=1 and namespace='WebGUI' and internat
 insert into international (internationalId,languageId,namespace,message,lastUpdated,context) values (974,1,'WebGUI','Users can add themselves?', 1053778912,'Determines whether users can add themselves to this group.');
 delete from international where languageId=1 and namespace='WebGUI' and internationalId=844;
 insert into international (internationalId,languageId,namespace,message,lastUpdated,context) values (844,1,'WebGUI','These macros have to do with users and logins.\r\n<p/>\r\n\r\n<b>&#94;a; or &#94;a(); - My Account Link</b><br>\r\nA link to your account information. In addition you can change the link text by creating a macro like this <b>&#94;a("Account Info");</b>. \r\n<p>\r\n\r\n<b>NOTES:</b> You can also use the special case &#94;a(linkonly); to return only the URL to the account page and nothing more. Also, the .myAccountLink style sheet class is tied to this macro.\r\n<p>\r\n\r\n\r\n<b>&#94;AdminText();</b><br>\r\nDisplays a small text message to a user who is in admin mode. Example: &#94;AdminText("You are in admin mode!");\r\n<p>\r\n\r\n<b>&#94;AdminToggle; or &#94;AdminToggle();</b><br>\r\nPlaces a link on the page which is only visible to content managers and adminstrators. The link toggles on/off admin mode. You can optionally specify other messages to display like this: &#94;AdminToggle("Edit On","Edit Off");\r\n<p>\r\n\r\n<b>&#94;CanEditText();</b><br>\r\nDisplay a message to a user that can edit the current page.\r\n<p>\r\n<i>Example:</i> &#94;CanEditText(^AdminToggle;);\r\n<p>\r\n\r\n<b>&#94;EditableToggle; or &#94;EditableToggle();</b><br>\r\nExactly the same as AdminToggle, except that the toggle is only displayed if the user has the rights to edit the current page.\r\n<p>\r\n\r\n<b>&#94;GroupAdd();</b><br>\r\nUsing this macro you can allow users to add themselves to a group. The first parameter is the name of the group this user should be added to. The second parameter is a text string for the user to click on to add themselves to this group.\r\n<p>\r\n<b>NOTE:</b> If the user is not logged in, or or already belongs to the group, or the group is not set to allow auto adds, then no link will be displayed.\r\n<p>\r\n\r\n\r\n<b>&#94;GroupDelete();</b><br>\r\nUsing this macro you can allow users to delete themselves from a group. The first parameter is the name of the group this user should be deleted from. The second parameter is a text string for the user to click on to delete themselves from this group.\r\n<p>\r\n<b>NOTE:</b> If the user is not logged in or the user does not belong to the group, or the group is not set to allow auto deletes, then no link will be displayed.\r\n<p>\r\n\r\n<b>&#94;GroupText();</b><br>\r\nDisplays a small text message to the user if they belong to the specified group. And you can specify an alternate message to those who are not in the group.\r\n<p>\r\n<i>Example:</i> &#94;GroupText("Visitors","You need an account to do anything cool on this site!","We value our registered users!");\r\n<p>\r\n\r\n<b>&#94;L; or &#94;L(); - Login Box</b><br>\r\nA small login form. You can also configure this macro. You can set the width of the login box like this &#94;L(20);. You can also set the message displayed after the user is logged in like this &#94;L(20,Hi &#94;a(&#94;@;);. Click %here% if you wanna log out!)\r\n<p>\r\n\r\n<b>NOTE:</b> The .loginBox style sheet class is tied to this macro.\r\n<p>\r\n\r\n<b>&#94;LoginToggle; or &#94;LoginToggle();</b><br>\r\nDisplays a "Login" or "Logout" message depending upon whether the user is logged in or not. You can optionally specify other labels like this: &#94;LoginToggle("Click here to log in.","Click here to log out.");. You can also use the special case &#94;LoginToggle(linkonly); to return only the URL with no label.\r\n<p>\r\n\r\n<b>&#94;@; - Username</b><br>\r\nThe username of the currently logged in user.\r\n<p>\r\n\r\n\r\n<b>&#94;#; - User ID</b><br>\r\nThe user id of the currently logged in user.\r\n<p>\r\n\r\n', 1053779917,NULL);
+insert into groups (groupId,groupName,description) values (11,"Secondary Admins","Users that have limited administrative privileges.");
+delete from international where languageId=1 and namespace='WebGUI' and internationalId=976;
+insert into international (internationalId,languageId,namespace,message,lastUpdated,context) values (976,1,'WebGUI','Add Users', 1053800614,'This is the label for a box that shows a list of users to add to a particular group.');
+delete from international where languageId=1 and namespace='WebGUI' and internationalId=977;
+insert into international (internationalId,languageId,namespace,message,lastUpdated,context) values (977,1,'WebGUI','Is secondary admin?', 1053803387,'A flag indicating whether the users has secondary administrative privileges for this group.');
+delete from international where languageId=1 and namespace='WebGUI' and internationalId=978;
+insert into international (internationalId,languageId,namespace,message,lastUpdated,context) values (978,1,'WebGUI','User added successfully.', 1053804577,'A message used after secondary admin adds a user successfully.');
 
 
 
diff --git a/lib/WebGUI/Grouping.pm b/lib/WebGUI/Grouping.pm
index a4dbb8300..db19142c6 100755
--- a/lib/WebGUI/Grouping.pm
+++ b/lib/WebGUI/Grouping.pm
@@ -38,6 +38,7 @@ This package provides an interface for managing WebGUI user and group groupings.
  $arrayRef = WebGUI::Grouping::getGroupsForUser($userId);
  $arrayRef = WebGUI::Grouping::getGroupsInGroup($groupId);
  $arrayRef = WebGUI::Grouping::getUsersInGroup($groupId);
+ $yesNo = WebGUI::Grouping::userGroupAdmin($userId,$groupId);
  $epoch = WebGUI::Grouping::userGroupExpireDate($userId,$groupId);
 
 =head1 METHODS
@@ -295,6 +296,40 @@ sub getUsersInGroup {
 
 
 
+#-------------------------------------------------------------------
+
+=head2 userGroupAdmin ( userId, groupId [, value ] )
+
+Returns a 1 or 0 depending upon whether the user is a sub-admin for this group.
+
+=over
+
+=item userId
+
+An integer that is the unique identifier for a user.
+
+=item groupId
+
+An integer that is the unique identifier for a group.
+
+=item value
+
+If specified the admin flag will be set to this value.
+
+=back
+
+=cut
+
+sub userGroupAdmin {
+	if ($_[2]) {
+		WebGUI::SQL->write("update groupings set groupAdmin=$_[2] where groupId=$_[1] and userId=$_[0]");
+		return $_[2];
+	} else {
+		my ($admin) = WebGUI::SQL->quickArray("select groupAdmin from groupings where groupId=$_[1] and userId=$_[0]");
+		return $admin;
+	}
+}	
+
 #-------------------------------------------------------------------
 
 =head2 userGroupExpireDate ( userId, groupId [, epoch ] )
diff --git a/lib/WebGUI/Macro/AdminBar.pm b/lib/WebGUI/Macro/AdminBar.pm
index a666e3009..dbc3b5458 100644
--- a/lib/WebGUI/Macro/AdminBar.pm
+++ b/lib/WebGUI/Macro/AdminBar.pm
@@ -105,12 +105,18 @@ sub process {
 			WebGUI::URL::page('op=listGroups')=>WebGUI::International::get(5), 
 			WebGUI::URL::page('op=manageSettings')=>WebGUI::International::get(4), 
 			WebGUI::URL::page('op=listUsers')=>WebGUI::International::get(7),
-			WebGUI::URL::page('op=listRoots')=>WebGUI::International::get(410),
 			WebGUI::URL::page('op=viewStatistics')=>WebGUI::International::get(144)
 		);
-	}
+	} elsif (WebGUI::Privilege::isInGroup(11)) {
+                %hash = (
+			WebGUI::URL::page('op=listGroupsSecondary')=>WebGUI::International::get(5), 
+			WebGUI::URL::page('op=addUserSecondary')=>WebGUI::International::get(169),
+                        %hash
+                );
+        }
 	if (WebGUI::Privilege::isInGroup(4)) {
         	%hash = ( 
+			WebGUI::URL::page('op=listRoots')=>WebGUI::International::get(410),
 			'http://validator.w3.org/check?uri=http%3A%2F%2F'.$session{env}{SERVER_NAME}.
 				WebGUI::URL::page()=>WebGUI::International::get(399),
 			WebGUI::URL::page('op=manageClipboard')=>WebGUI::International::get(949),
diff --git a/lib/WebGUI/Operation/Account.pm b/lib/WebGUI/Operation/Account.pm
index 7dea5d6de..da5ed8f0c 100644
--- a/lib/WebGUI/Operation/Account.pm
+++ b/lib/WebGUI/Operation/Account.pm
@@ -37,7 +37,7 @@ our @EXPORT = qw(&www_viewMessageLogMessage &www_viewThreadSubscriptions &www_vi
 sub _accountOptions {
 	my ($output);
 	$output = '<div class="accountOptions"><ul>';
-	if (WebGUI::Privilege::isInGroup(4) || WebGUI::Privilege::isInGroup(5) || WebGUI::Privilege::isInGroup(6) || WebGUI::Privilege::isInGroup(8)) {
+	if (WebGUI::Privilege::isInGroup(4) || WebGUI::Privilege::isInGroup(5) || WebGUI::Privilege::isInGroup(6) || WebGUI::Privilege::isInGroup(8) || WebGUI::Privilege::isInGroup(9) || WebGUI::Privilege::isInGroup(10) || WebGUI::Privilege::isInGroup(11)) {
 		if ($session{var}{adminOn}) {
 			$output .= '<li><a href="'.WebGUI::URL::page('op=switchOffAdmin').'">'.
 				WebGUI::International::get(12).'</a>';
@@ -100,6 +100,7 @@ sub _validateProfileData {
 	return (\%data, $error);
 }
 
+
 #-------------------------------------------------------------------
 sub www_createAccount {
 	my ($output, %language, @array,
diff --git a/lib/WebGUI/Operation/Group.pm b/lib/WebGUI/Operation/Group.pm
index c1a9b978d..e8b0751d4 100644
--- a/lib/WebGUI/Operation/Group.pm
+++ b/lib/WebGUI/Operation/Group.pm
@@ -32,35 +32,64 @@ use WebGUI::Utility;
 our @ISA = qw(Exporter);
 our @EXPORT = qw(&www_manageUsersInGroup &www_deleteGroup &www_deleteGroupConfirm &www_editGroup 
 	&www_editGroupSave &www_listGroups &www_emailGroup &www_emailGroupSend &www_manageGroupsInGroup
-	&www_addGroupsToGroupSave &www_deleteGroupGrouping &www_autoAddToGroup &www_autoDeleteFromGroup);
+	&www_addGroupsToGroupSave &www_deleteGroupGrouping &www_autoAddToGroup &www_autoDeleteFromGroup
+	&www_listGroupsSecondary &www_manageUsersInGroupSecondary &www_addUsersToGroupSave &www_addUsersToGroupSecondarySave
+	&www_deleteGroupingSecondary);
+
+
+#-------------------------------------------------------------------
+sub _hasSecondaryPrivilege {
+	return 0 unless (WebGUI::Privilege::isInGroup(11));
+	return WebGUI::Grouping::userGroupAdmin($session{user}{userId},$_[0]);
+}
+
 
 #-------------------------------------------------------------------
 sub _submenu {
         my ($output, %menu);
         tie %menu, 'Tie::IxHash';
-        $menu{WebGUI::URL::page('op=editGroup&gid=new')} = WebGUI::International::get(90);
-        unless ($session{form}{op} eq "listGroups" 
-		|| $session{form}{gid} eq "new" 
-		|| $session{form}{op} eq "deleteGroupConfirm") {
-                $menu{WebGUI::URL::page("op=editGroup&gid=".$session{form}{gid})} = WebGUI::International::get(753);
-                $menu{WebGUI::URL::page("op=manageUsersInGroup&gid=".$session{form}{gid})} = WebGUI::International::get(754);
-                $menu{WebGUI::URL::page("op=manageGroupsInGroup&gid=".$session{form}{gid})} = WebGUI::International::get(807);
-                $menu{WebGUI::URL::page("op=emailGroup&gid=".$session{form}{gid})} = WebGUI::International::get(808);
-                $menu{WebGUI::URL::page("op=deleteGroup&gid=".$session{form}{gid})} = WebGUI::International::get(806);
-        }
-        $menu{WebGUI::URL::page("op=listGroups")} = WebGUI::International::get(756);
+	if (WebGUI::Privilege::isInGroup(3)) {
+	        $menu{WebGUI::URL::page('op=editGroup&gid=new')} = WebGUI::International::get(90);
+        	unless ($session{form}{op} eq "listGroups" 
+			|| $session{form}{gid} eq "new" 
+			|| $session{form}{op} eq "deleteGroupConfirm") {
+        	        $menu{WebGUI::URL::page("op=editGroup&gid=".$session{form}{gid})} = WebGUI::International::get(753);
+                	$menu{WebGUI::URL::page("op=manageUsersInGroup&gid=".$session{form}{gid})} = WebGUI::International::get(754);
+	                $menu{WebGUI::URL::page("op=manageGroupsInGroup&gid=".$session{form}{gid})} = WebGUI::International::get(807);
+        	        $menu{WebGUI::URL::page("op=emailGroup&gid=".$session{form}{gid})} = WebGUI::International::get(808);
+                	$menu{WebGUI::URL::page("op=deleteGroup&gid=".$session{form}{gid})} = WebGUI::International::get(806);
+	        }
+        	$menu{WebGUI::URL::page("op=listGroups")} = WebGUI::International::get(756);
+	} else {
+        	$menu{WebGUI::URL::page("op=listGroupsSecondary")} = WebGUI::International::get(756);
+	}
         return menuWrapper($_[0],\%menu);
 }
 
 #-------------------------------------------------------------------
 sub www_addGroupsToGroupSave {
         return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
-        my (@groups, $group);
-        @groups = $session{cgi}->param('groups');
+        my @groups = $session{cgi}->param('groups');
 	WebGUI::Grouping::addGroupsToGroups(\@groups,[$session{form}{gid}]);
         return www_manageGroupsInGroup();
 }
 
+#-------------------------------------------------------------------
+sub www_addUsersToGroupSave {
+        return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
+        my @users = $session{cgi}->param('users');
+	WebGUI::Grouping::addUsersToGroups(\@users,[$session{form}{gid}]);
+        return www_manageUsersInGroup();
+}
+
+#-------------------------------------------------------------------
+sub www_addUsersToGroupSecondarySave {
+        return WebGUI::Privilege::adminOnly() unless _hasSecondaryPrivilege($session{form}{gid});
+        my @users = $session{cgi}->param('users');
+	WebGUI::Grouping::addUsersToGroups(\@users,[$session{form}{gid}]);
+        return www_manageUsersInGroupSecondary();
+}
+
 #-------------------------------------------------------------------
 sub www_autoAddToGroup {
         return WebGUI::Privilege::insufficient() unless ($session{user}{userId} != 1);
@@ -112,6 +141,16 @@ sub www_deleteGroupGrouping {
         return www_manageGroupsInGroup();
 }
 
+#-------------------------------------------------------------------
+sub www_deleteGroupingSecondary {
+        return WebGUI::Privilege::adminOnly() unless _hasSecondaryPrivilege($session{form}{gid});
+        if ($session{user}{userId} == $session{form}{uid}) {
+                return WebGUI::Privilege::vitalComponent();
+        }
+        WebGUI::Grouping::deleteUsersFromGroups([$session{form}{uid}],[$session{form}{gid}]);
+        return www_manageUsersInGroupSecondary();
+}
+
 #-------------------------------------------------------------------
 sub www_editGroup {
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
@@ -273,6 +312,37 @@ sub www_listGroups {
         return _submenu($output);
 }
 
+#-------------------------------------------------------------------
+sub www_listGroupsSecondary {
+	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(11));
+        my ($output, $p, $sth, @data, @row, $i, $userCount);
+	$output .= '<h1>'.WebGUI::International::get(89).'</h1>';
+	my @editableGroups = WebGUI::SQL->buildArray("select groupId from groupings where userId=$session{user}{userId} and groupAdmin=1");
+	push (@editableGroups,0);
+        $sth = WebGUI::SQL->read("select groupId,groupName,description from groups 
+		where groupId in (".join(",",@editableGroups).") order by groupName");
+        while (@data = $sth->array) {
+                $row[$i] = '<tr>';
+                $row[$i] .= '<td valign="top" class="tableData"><a href="'
+			.WebGUI::URL::page('op=manageUsersInGroupSecondary&gid='.$data[0]).'">'.$data[1].'</td>';
+                $row[$i] .= '<td valign="top" class="tableData">'.$data[2].'</td>';
+		($userCount) = WebGUI::SQL->quickArray("select count(*) from groupings where groupId=$data[0]");
+                $row[$i] .= '<td valign="top" class="tableData">'.$userCount.'</td></tr>';
+                $row[$i] .= '</tr>';
+                $i++;
+        }
+	$sth->finish;
+        $p = WebGUI::Paginator->new(WebGUI::URL::page('op=listGroupsSecondary'),\@row);
+        $output .= '<table border=1 cellpadding=5 cellspacing=0 align="center">';
+	$output .= '<tr><td class="tableHeader">'.WebGUI::International::get(84).'</td><td class="tableHeader">'
+		.WebGUI::International::get(85).'</td><td class="tableHeader">'
+		.WebGUI::International::get(748).'</td></tr>';
+        $output .= $p->getPage($session{form}{pn});
+        $output .= '</table>';
+        $output .= $p->getBarTraditional($session{form}{pn});
+        return _submenu($output);
+}
+
 #-------------------------------------------------------------------
 sub www_manageGroupsInGroup {
         return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
@@ -316,7 +386,22 @@ sub www_manageUsersInGroup {
         my ($output, $sth, %hash);
         tie %hash, 'Tie::CPHash';
         $output = '<h1>'.WebGUI::International::get(88).'</h1>';
-        $output .= '<table align="center" border="1" cellpadding="2" cellspacing="0"><tr><td class="tableHeader">&nbsp;</td>
+	my $f = WebGUI::HTMLForm->new;
+	$f->hidden("gid",$session{form}{gid});
+	$f->hidden("op","addUsersToGroupSave");
+	my $existingUsers = WebGUI::Grouping::getUsersInGroup($session{form}{gid});
+	push(@{$existingUsers},"1");
+	my $users = WebGUI::SQL->buildHashRef("select userId,username from users where status='Active' and userId not in (".join(",",@{$existingUsers}).")");
+	$f->selectList(
+		-name=>"users",
+		-label=>WebGUI::International::get(976),
+		-options=>$users,
+		-multiple=>1,
+		-size=>7
+		);
+	$f->submit;
+	$output .= $f->print;
+        $output .= '<table border="1" cellpadding="2" cellspacing="0"><tr><td class="tableHeader">&nbsp;</td>
                 <td class="tableHeader">'.WebGUI::International::get(50).'</td>
                 <td class="tableHeader">'.WebGUI::International::get(369).'</td></tr>';
         $sth = WebGUI::SQL->read("select users.username,users.userId,groupings.expireDate
@@ -324,7 +409,7 @@ sub www_manageUsersInGroup {
                 order by users.username");
         while (%hash = $sth->hash) {
                 $output .= '<tr><td>'
-                        .deleteIcon('op=deleteGrouping&uid='.$hash{userId}.'&gid='.$session{form}{gid})
+                        .deleteIcon('op=deleteGrouping&return=manageUsersInGroup&uid='.$hash{userId}.'&gid='.$session{form}{gid})
                         .editIcon('op=editGrouping&uid='.$hash{userId}.'&gid='.$session{form}{gid})
                         .'</td>';
                 $output .= '<td class="tableData"><a href="'.WebGUI::URL::page('op=editUser&uid='.$hash{userId}).'">'
@@ -336,6 +421,47 @@ sub www_manageUsersInGroup {
         return _submenu($output);
 }
 
+#-------------------------------------------------------------------
+sub www_manageUsersInGroupSecondary {
+        return WebGUI::Privilege::adminOnly() unless _hasSecondaryPrivilege($session{form}{gid});
+        my ($output, $sth, %hash);
+        tie %hash, 'Tie::CPHash';
+        $output = '<h1>'.WebGUI::International::get(88).'</h1>';
+	my $f = WebGUI::HTMLForm->new;
+	$f->hidden("gid",$session{form}{gid});
+	$f->hidden("op","addUsersToGroupSecondarySave");
+	my $existingUsers = WebGUI::Grouping::getUsersInGroup($session{form}{gid});
+	push(@{$existingUsers},"1");
+	push(@{$existingUsers},"3");
+	my $users = WebGUI::SQL->buildHashRef("select userId,username from users where status='Active' and userId not in (".join(",",@{$existingUsers}).")");
+	$f->selectList(
+		-name=>"users",
+		-label=>WebGUI::International::get(976),
+		-options=>$users,
+		-multiple=>1,
+		-size=>7
+		);
+	$f->submit;
+	$output .= $f->print;
+        $output .= '<table border="1" cellpadding="2" cellspacing="0"><tr><td class="tableHeader">&nbsp;</td>
+                <td class="tableHeader">'.WebGUI::International::get(50).'</td>
+                <td class="tableHeader">'.WebGUI::International::get(369).'</td></tr>';
+        $sth = WebGUI::SQL->read("select users.username,users.userId,groupings.expireDate
+                from groupings,users where groupings.groupId=$session{form}{gid} and groupings.userId=users.userId
+                order by users.username");
+        while (%hash = $sth->hash) {
+                $output .= '<tr><td>'
+                        .deleteIcon('op=deleteGroupingSecondary&uid='.$hash{userId}.'&gid='.$session{form}{gid})
+                        .'</td>';
+                $output .= '<td class="tableData"><a href="'.WebGUI::URL::page('op=editUser&uid='.$hash{userId}).'">'
+                        .$hash{username}.'</a></td>';
+                $output .= '<td class="tableData">'.epochToHuman($hash{expireDate},"%z").'</td></tr>';
+        }
+        $sth->finish;
+        $output .= '</table>';
+        return _submenu($output);
+}
+
 
 
 1;
diff --git a/lib/WebGUI/Operation/User.pm b/lib/WebGUI/Operation/User.pm
index cd63ba40c..1e0963fac 100644
--- a/lib/WebGUI/Operation/User.pm
+++ b/lib/WebGUI/Operation/User.pm
@@ -30,28 +30,32 @@ use WebGUI::User;
 use WebGUI::Utility;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw(&www_editUserKarma &www_editUserKarmaSave &www_editUserGroup &www_editUserProfile &www_editUserProfileSave &www_addUserToGroupSave &www_deleteGrouping &www_editGrouping &www_editGroupingSave &www_becomeUser &www_addUser &www_addUserSave &www_deleteUser &www_deleteUserConfirm &www_editUser &www_editUserSave &www_listUsers);
+our @EXPORT = qw(&www_editUserKarma &www_editUserKarmaSave &www_editUserGroup &www_editUserProfile &www_editUserProfileSave &www_addUserToGroupSave &www_deleteGrouping &www_editGrouping &www_editGroupingSave &www_becomeUser &www_addUser &www_addUserSave &www_deleteUser &www_deleteUserConfirm &www_editUser &www_editUserSave &www_listUsers &www_addUserSecondary &www_addUserSecondarySave);
 
 
 #-------------------------------------------------------------------
 sub _submenu {
 	my ($output, %menu);
 	tie %menu, 'Tie::IxHash';
-	$menu{WebGUI::URL::page("op=addUser")} = WebGUI::International::get(169);
-	unless ($session{form}{op} eq "listUsers" 
-		|| $session{form}{op} eq "addUser" 
-		|| $session{form}{op} eq "deleteUserConfirm") {
-		$menu{WebGUI::URL::page("op=editUser&uid=".$session{form}{uid})} = WebGUI::International::get(457);
-		$menu{WebGUI::URL::page("op=editUserGroup&uid=".$session{form}{uid})} = WebGUI::International::get(458);
-		$menu{WebGUI::URL::page("op=editUserProfile&uid=".$session{form}{uid})} = WebGUI::International::get(459);
-		$menu{WebGUI::URL::page('op=viewProfile&uid='.$session{form}{uid})} = WebGUI::International::get(752);
-		$menu{WebGUI::URL::page('op=becomeUser&uid='.$session{form}{uid})} = WebGUI::International::get(751);
-		$menu{WebGUI::URL::page('op=deleteUser&uid='.$session{form}{uid})} = WebGUI::International::get(750);
-		if ($session{setting}{useKarma}) {
-			$menu{WebGUI::URL::page("op=editUserKarma&uid=".$session{form}{uid})} = WebGUI::International::get(555);
+	if (WebGUI::Privilege::isInGroup(3)) {
+		$menu{WebGUI::URL::page("op=addUser")} = WebGUI::International::get(169);
+		unless ($session{form}{op} eq "listUsers" 
+			|| $session{form}{op} eq "addUser" 
+			|| $session{form}{op} eq "deleteUserConfirm") {
+			$menu{WebGUI::URL::page("op=editUser&uid=".$session{form}{uid})} = WebGUI::International::get(457);
+			$menu{WebGUI::URL::page("op=editUserGroup&uid=".$session{form}{uid})} = WebGUI::International::get(458);
+			$menu{WebGUI::URL::page("op=editUserProfile&uid=".$session{form}{uid})} = WebGUI::International::get(459);
+			$menu{WebGUI::URL::page('op=viewProfile&uid='.$session{form}{uid})} = WebGUI::International::get(752);
+			$menu{WebGUI::URL::page('op=becomeUser&uid='.$session{form}{uid})} = WebGUI::International::get(751);
+			$menu{WebGUI::URL::page('op=deleteUser&uid='.$session{form}{uid})} = WebGUI::International::get(750);
+			if ($session{setting}{useKarma}) {
+				$menu{WebGUI::URL::page("op=editUserKarma&uid=".$session{form}{uid})} = WebGUI::International::get(555);
+			}
 		}
+		$menu{WebGUI::URL::page("op=listUsers")} = WebGUI::International::get(456);
+	} else {
+		$menu{WebGUI::URL::page("op=addUserSecondary")} = WebGUI::International::get(169);
 	}
-	$menu{WebGUI::URL::page("op=listUsers")} = WebGUI::International::get(456);
 	return menuWrapper($_[0],\%menu); 
 }
 
@@ -97,11 +101,10 @@ sub www_addUser {
 
 #-------------------------------------------------------------------
 sub www_addUserSave {
-        my (@groups, $uid, $u, $gid, $encryptedPassword, $cmd);
+        my (@groups, $uid, $u);
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
 	($uid) = WebGUI::SQL->quickArray("select userId from users where username=".quote($session{form}{username}));
 	unless ($uid) {
-               	$encryptedPassword = Digest::MD5::md5_base64($session{form}{identifier});
 		$u = WebGUI::User->new("new");
 		$session{form}{uid}=$u->userId;
 		$u->username($session{form}{username});
@@ -120,6 +123,52 @@ sub www_addUserSave {
 	}
 }
 
+#-------------------------------------------------------------------
+sub www_addUserSecondary {
+        return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(11));
+        my $output .= '<h1>'.WebGUI::International::get(163).'</h1>';
+        my $f = WebGUI::HTMLForm->new;
+        if ($session{form}{op} eq "addUserSecondarySave") {
+                $output .= '<ul><li>'.WebGUI::International::get(77).' '.$session{form}{username}.'Too or '.$session{form}{username}.'02</ul>';
+        }
+        $f->hidden("op","addUserSecondarySave");
+        $f->text("username",WebGUI::International::get(50),$session{form}{username});
+        $f->email("email",WebGUI::International::get(56));
+        my $options;
+        foreach (@{$session{config}{authMethods}}) {
+                $options->{$_} = $_;
+        }
+        $f->select("authMethod",$options,WebGUI::International::get(164),[$session{setting}{authMethod}]);
+        foreach (@{$session{config}{authMethods}}) {
+                $f->raw(WebGUI::Authentication::adminForm(0,$_));
+        }
+        $f->submit;
+        $output .= $f->print;
+        return _submenu($output);
+}
+
+#-------------------------------------------------------------------
+sub www_addUserSecondarySave {
+        my (@groups, $uid, $u);
+        return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(11));
+        ($uid) = WebGUI::SQL->quickArray("select userId from users where username=".quote($session{form}{username}));
+        unless ($uid) {
+                $u = WebGUI::User->new("new");
+                $session{form}{uid}=$u->userId;
+                $u->username($session{form}{username});
+                foreach (@{$session{config}{authMethods}}) {
+                        WebGUI::Authentication::adminFormSave($u->userId,$_);
+                }
+                $u->status('Active');
+                $u->authMethod($session{form}{authMethod});
+                $u->profileField("email",$session{form}{email});
+		return _submenu(WebGUI::International::get(978));
+        } else {
+                $session{form}{op} = "addUserSecondary";
+        	return www_addUserSecondary();
+        }
+}
+
 #-------------------------------------------------------------------
 sub www_addUserToGroupSave {
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
@@ -140,15 +189,16 @@ sub www_becomeUser {
 
 #-------------------------------------------------------------------
 sub www_deleteGrouping {
-	my ($u);
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
 	if (($session{user}{userId} == $session{form}{uid} || $session{form}{uid} == 3) && $session{form}{gid} == 3) {
 		return WebGUI::Privilege::vitalComponent();
-        } else {
-		$u = WebGUI::User->new($session{form}{uid});
-		$u->deleteFromGroups([$session{form}{gid}]);
-                return www_editUserGroup();
         }
+	my $u = WebGUI::User->new($session{form}{uid});
+	$u->deleteFromGroups([$session{form}{gid}]);
+	if ($session{form}{return} eq "manageUsersInGroup") {
+		return WebGUI::Operation::Group::www_manageUsersInGroup();
+	}
+	return www_editUserGroup(); 
 }
 
 #-------------------------------------------------------------------
@@ -186,18 +236,21 @@ sub www_deleteUserConfirm {
 #-------------------------------------------------------------------
 sub www_editGrouping {
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
-        my ($output, $expireDate, $f);
-        $output .= '<h1>'.WebGUI::International::get(370).'</h1>';
-	$f = WebGUI::HTMLForm->new;
+        my $output .= '<h1>'.WebGUI::International::get(370).'</h1>';
+	my $f = WebGUI::HTMLForm->new;
         $f->hidden("op","editGroupingSave");
         $f->hidden("uid",$session{form}{uid});
         $f->hidden("gid",$session{form}{gid});
 	my $u = WebGUI::User->new($session{form}{uid});
 	my $g = WebGUI::Group->new($session{form}{gid});
-	$expireDate = WebGUI::Grouping::userGroupExpireDate($session{form}{uid},$session{form}{gid});
         $f->readOnly($u->username,WebGUI::International::get(50));
         $f->readOnly($g->name,WebGUI::International::get(84));
-	$f->date("expireDate",WebGUI::International::get(369),$expireDate);
+	$f->date("expireDate",WebGUI::International::get(369),WebGUI::Grouping::userGroupExpireDate($session{form}{uid},$session{form}{gid}));
+	$f->yesNo(
+		-name=>"groupAdmin",
+		-label=>WebGUI::International::get(977),
+		-value=>WebGUI::Grouping::userGroupAdmin($session{form}{uid},$session{form}{gid})
+		);
 	$f->submit;
 	$output .= $f->print;
         return _submenu($output);
@@ -207,6 +260,7 @@ sub www_editGrouping {
 sub www_editGroupingSave {
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
         WebGUI::Grouping::userGroupExpireDate($session{form}{uid},$session{form}{gid},setToEpoch($session{form}{expireDate}));
+        WebGUI::Grouping::userGroupAdmin($session{form}{uid},$session{form}{gid},setToEpoch($session{form}{groupAdmin}));
         return www_editUserGroup();
 }
 
@@ -252,7 +306,7 @@ sub www_editUser {
 #-------------------------------------------------------------------
 sub www_editUserSave {
 	return WebGUI::Privilege::adminOnly() unless (WebGUI::Privilege::isInGroup(3));
-        my ($error, $uid, $u, $encryptedPassword, $passwordStatement, $cmd);
+        my ($error, $uid, $u);
         ($uid) = WebGUI::SQL->quickArray("select userId from users where username=".quote($session{form}{username}));
         if ($uid == $session{form}{uid} || $uid < 1) {
 		$u = WebGUI::User->new($session{form}{uid});