--- loncom/auth/migrateuser.pm	2018/12/03 23:43:57	1.38
+++ loncom/auth/migrateuser.pm	2018/12/26 20:10:21	1.42
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # Starts a user off based of an existing token.
 #
-# $Id: migrateuser.pm,v 1.38 2018/12/03 23:43:57 raeburn Exp $
+# $Id: migrateuser.pm,v 1.42 2018/12/26 20:10:21 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -119,6 +119,48 @@ sub lti_check {
     return \%lti_env;
 }
 
+sub canhost {
+    my ($uname,$udom,$lonhost,$loncaparev) = @_;
+    my $canhost;
+    if (&Apache::lonnet::is_library($lonhost)) {
+        my @possdoms = &Apache::lonnet::current_machine_domains();
+        my %roleshash = &Apache::lonnet::get_my_roles($uname,$udom,'userroles','',['ca','aa'],\@possdoms);
+        if (keys(%roleshash)) {
+            foreach my $key (keys(%roleshash)) {
+                my $audom = (split(/:/,$key))[1];
+                if ((&Apache::lonnet::will_trust('othcoau',$udom,$audom)) &&
+                    (&Apache::lonnet::will_trust('coaurem',$audom,$udom))) {
+                    $canhost = 1;
+                    last;
+                }
+            }
+        }
+    }
+    unless ($canhost) {
+        my $uprimary_id = &Apache::lonnet::domain($udom,'primary');
+        my $uint_dom = &Apache::lonnet::internet_dom($uprimary_id);
+        my @intdoms;
+        my $internet_names = &Apache::lonnet::get_internet_names($lonhost);
+        if (ref($internet_names) eq 'ARRAY') {
+            @intdoms = @{$internet_names};
+        }
+        if ($uint_dom ne '' && grep(/^\Q$uint_dom\E$/,@intdoms)) {
+            $canhost = 1;
+        } else {
+            my $hostname = &Apache::lonnet::hostname($lonhost);
+            my $serverhomeID = &Apache::lonnet::get_server_homeID($hostname);
+            my $serverhomedom = &Apache::lonnet::host_domain($serverhomeID);
+            my %defdomdefaults = &Apache::lonnet::get_domain_defaults($serverhomedom);
+            my %udomdefaults = &Apache::lonnet::get_domain_defaults($udom);
+            $canhost =
+                &Apache::lonnet::can_host_session($udom,$lonhost,$loncaparev,
+                                                  $udomdefaults{'remotesessions'},
+                                                  $defdomdefaults{'hostedsessions'});
+        }
+    }
+    return $canhost;
+}
+
 sub ip_changed {
     my ($r,$udom,$camefrom,$idsref,$dataref) = @_;
     &Apache::loncommon::content_type($r,'text/html');
@@ -444,7 +486,7 @@ sub conlost_userhome {
                 return $otherserver;
             } else {
                 #FIXME Contents of $data{'dom_balancers'} contains invalid hostID.
-            }  
+            }
         } else {
             if ($data{'loncfail'}) {
                 #FIXME Nowhere to go. 
@@ -577,6 +619,14 @@ sub handler {
     if ($home eq 'no_host') { return &goto_login($r,$udom,\%data); }
     if (&Apache::lonnet::hostname($home) eq '') { return &goto_login($r,$udom,\%data); }
 
+    unless (grep(/^\Q$home\E$/,@ids)) {
+        my $lonhost = $r->dir_config('lonHostID');
+        my $loncaparev = $r->dir_config('lonVersion');
+        unless (&canhost($data{'username'},$data{'domain'},$lonhost,$loncaparev)) {
+            return &goto_login($r,$udom,\%data);
+        }
+    }
+
     my $rolemsg;
     if ($data{'role'}) {
         $rolemsg = "role: $data{'role'}";
@@ -622,6 +672,29 @@ sub handler {
 	if ($handle) {
 	    &Apache::lonnet::transfer_profile_to_env($r->dir_config('lonIDsDir'),
 						     $handle);
+            if ($data{'linkprot'} ne '') {
+                my ($linkprotector,$deeplink) = split(/:/,$data{'linkprot'},2);
+                if ($env{'user.linkprotector'}) {
+                    my @protectors = split(/,/,$env{'user.linkprotector'});
+                    unless (grep(/^\Q$linkprotector\E$/,@protectors)) {
+                        push(@protectors,$linkprotector);
+                        @protectors = sort { $a <=> $b } @protectors;
+                        &Apache::lonnet::appenv({'user.linkprotector' => join(',',@protectors)});
+                    }
+                } else {
+                    &Apache::lonnet::appenv({'user.linkprotector' => $linkprotector });
+                }   
+                if ($env{'user.linkproturi'}) {
+                    my @proturis = split(/,/,$env{'user.linkproturi'});
+                    unless(grep(/^\Q$deeplink\E$/,@proturis)) {
+                        push(@proturis,$deeplink);
+                        @proturis = sort @proturis;
+                        &Apache::lonnet::appenv({'user.linkproturi' => join(',',@proturis)});
+                    }
+                } else {
+                    &Apache::lonnet::appenv({'user.linkproturi' => $deeplink});
+                }
+            }
             if ($data{'lti.login'}) {
                 my $needslogout;
                 if ($env{'request.lti.login'}) {
@@ -715,6 +788,18 @@ sub handler {
                         $desturl .= (($desturl =~/\?/)?'&':'?').'navmap=1';
                     }
                 }
+                if ($data{'linkprot'}) {
+                    my ($linkprotector,$linkuri) = split(/:/,$data{'linkprot'},2);
+                    if ($linkprotector) {
+                        if (ref($extra_env) eq 'HASH') {
+                            $extra_env->{'user.linkprotector'} = $linkprotector;
+                            $extra_env->{'user.linkproturi'} = $linkuri;
+                        } else {
+                            $extra_env = {'user.linkprotector' => $linkprotector,
+                                          'user.linkproturi' => $linkuri,};
+                        }
+                    }
+                }
             }
             my $skipcritical;
             if (($data{'lti.login'}) && ($data{'lti.reqcrs'}) &&