--- loncom/interface/lonmenu.pm	2017/01/30 19:06:46	1.369.2.69
+++ loncom/interface/lonmenu.pm	2018/09/03 14:30:16	1.369.2.72
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Routines to control the menu
 #
-# $Id: lonmenu.pm,v 1.369.2.69 2017/01/30 19:06:46 raeburn Exp $
+# $Id: lonmenu.pm,v 1.369.2.72 2018/09/03 14:30:16 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -499,6 +499,8 @@ sub secondary_menu {
                         next if ($item->[2] eq 'mgr' && !$canmgr);
                         next if ($item->[2] eq 'vcg' && !$canviewgrps);
                         next if ($item->[2] eq 'crsedit' && !$canedit && !$canvieweditor);
+                        next if ($item->[2] eq 'author' && !$author);
+                        next if ($item->[2] eq 'cca' && !$canmodifycoauthor);
                         push(@scndsub,$item); 
                     }
                 }
@@ -528,6 +530,7 @@ sub secondary_menu {
                 } else {
                     $$menuitem[0] =~ s{\?register=1}{};
                 }
+                $$menuitem[0] = &HTML::Entities::encode($$menuitem[0],'&<>"');
             }
             $menu .= &prep_menuitem(\@$menuitem);
         }
@@ -546,7 +549,7 @@ sub secondary_menu {
             my $londocroot = $Apache::lonnet::perlvar{'lonDocRoot'};
             ($escurl = $env{'request.filename'}) =~ s{^\Q$londocroot\E}{};
             $escurl  = &escape($escurl);
-        }    
+        }
         $menu =~ s/\[url\]/$escurl/g;
         $menu =~ s/\[symb\]/$escsymb/g;
     }
@@ -635,6 +638,20 @@ sub build_submenu {
                     next unless (($env{'user.name'} ne '') && ($env{'user.domain'} ne ''));
                     $href =~ s/\[domain\]/$env{'user.domain'}/g;
                     $href =~ s/\[user\]/$env{'user.name'}/g;
+                } elsif (($href =~ m{^/adm/preferences\?}) && ($href =~ /\[returnurl\]/)) {
+                    my $returnurl = $ENV{'REQUEST_URI'};
+                    if ($ENV{'REQUEST_URI'} =~ m{/adm/preferences\?action=(?:changedomcoord|authorsettings)\&returnurl=([^\&]+)$}) {
+                        $returnurl = $1;
+                    }
+                    if (($returnurl =~ m{^/adm/createuser($|\?action=)}) ||
+                        ($returnurl =~ m{^/priv/$match_domain/$match_username}) ||
+                        ($returnurl =~ m{^/res(/?$|/$match_domain/$match_username)})) {
+                        $returnurl =~ s{\?.*$}{};
+                        $returnurl = '&amp;returnurl='.&HTML::Entities::encode($returnurl,'"<>&\'');
+                    } else {
+                        undef($returnurl);
+                    }
+                    $href =~ s/\[returnurl\]/$returnurl/;
                 }
                 unless (($href eq '') || ($href =~ /^\#/)) {
                     $target = ' target="_top"';
@@ -1501,9 +1518,13 @@ sub prepare_functions {
 # This applies in course context
 #
         if (($perms{'mdc'}) &&
-            (($resurl eq "/public/$cdom/$cnum/syllabus") ||
-            ($resurl =~ m{^/uploaded/$cdom/$cnum/portfolio/syllabus/}))) {
-            $cfile = $resurl;
+            (($resurl =~ m{^/?public/$cdom/$cnum/syllabus}) ||
+            ($resurl =~ m{^/?uploaded/$cdom/$cnum/portfolio/syllabus/}))) {
+            if ($resurl =~ m{^/}) {
+                $cfile = $resurl;
+            } else {
+                $cfile = "/$resurl";
+            }
             $home = &Apache::lonnet::homeserver($cnum,$cdom);
             if ($env{'form.forceedit'}) {
                 $forceview = 1;
@@ -2156,15 +2177,6 @@ return (<<ENDUTILITY)
 
 $dc_popup_cid
 
-function go(url) {
-   if (url!='' && url!= null) {
-       currentURL = null;
-       currentSymb= null;
-       var lcHostname = setLCHost();
-       window.location.href=lcHostname+url;
-   }
-}
-
 $jumptores
 
 function gopost(url,postdata) {