--- loncom/auth/lonauth.pm	2017/08/08 16:43:54	1.144
+++ loncom/auth/lonauth.pm	2017/08/08 17:01:25	1.145
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # User Authentication Module
 #
-# $Id: lonauth.pm,v 1.144 2017/08/08 16:43:54 raeburn Exp $
+# $Id: lonauth.pm,v 1.145 2017/08/08 17:01:25 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -334,10 +334,11 @@ sub handler {
 
 # split user logging in and "su"-user
 
-    ($form{'uname'},$form{'suname'})=split(/\:/,$form{'uname'});
+    ($form{'uname'},$form{'suname'},$form{'sudom'})=split(/\:/,$form{'uname'});
     $form{'uname'} = &LONCAPA::clean_username($form{'uname'});
     $form{'suname'}= &LONCAPA::clean_username($form{'suname'});
-    $form{'udom'}  = &LONCAPA::clean_domain(  $form{'udom'});
+    $form{'udom'}  = &LONCAPA::clean_domain($form{'udom'});
+    $form{'sudom'} = &LONCAPA::clean_domain($form{'sudom'});
 
     my $role   = $r->dir_config('lonRole');
     my $domain = $r->dir_config('lonDefDomain');
@@ -462,18 +463,51 @@ sub handler {
 
 # --------------------------------- Are we attempting to login as somebody else?
     if ($form{'suname'}) {
+        my ($suname,$sudom,$sudomref);
+        $suname = $form{'suname'};
+        $sudom = $form{'udom'};
+        if ($form{'sudom'}) {
+            unless ($sudom eq $form{'sudom'}) {
+                if (&Apache::lonnet::domain($form{'sudom'})) {
+                    $sudomref = [$form{'sudom'}];
+                    $sudom = $form{'sudom'};
+                }
+            }
+        }
 # ------------ see if the original user has enough privileges to pull this stunt
-	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'})) {
+	if (&Apache::lonnet::privileged($form{'uname'},$form{'udom'},$sudomref)) {
 # ---------------------------------------------------- see if the su-user exists
-	    unless (&Apache::lonnet::homeserver($form{'suname'},$form{'udom'})
-		eq 'no_host') {
-		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($form{'suname'},$form{'udom'}));
+	    unless (&Apache::lonnet::homeserver($suname,$sudom) eq 'no_host') {
+		&Apache::lonnet::logthis(&Apache::lonnet::homeserver($suname,$sudom));
 # ------------------------------ see if the su-user is not too highly privileged
-		unless (&Apache::lonnet::privileged($form{'suname'},$form{'udom'})) {
+		unless (&Apache::lonnet::privileged($suname,$sudom)) {
+#
+# su-user's home server and user's home server must have one of:
+# (a) same internet dom
+# (b) same primary library server for home server's domain
+# (c) same "internet domain" for primary library server for home server's domain
+#
+                    unless ($sudom eq $form{'udom'}) {
+                        my $suprim = &Apache::lonnet::domain($sudom,'primary');
+                        my $uprim = &Apache::lonnet::domain($sudom,'primary');
+                        unless ($suprim eq $uprim) {
+                            my $suintdom = &Apache::lonnet::internet_dom($suprim);
+                            my $uintdom = &Apache::lonnet::internet_dom($uprim);
+                            unless ($suintdom eq $uintdom) {
+                                &Apache::lonnet::logthis('Attempted switch user '
+                                                         .'to privileged user');                        
+                            }
+                        }
+                    }
+
 # -------------------------------------------------------- actually switch users
+
 		    &Apache::lonnet::logperm('User '.$form{'uname'}.' at '.$form{'udom'}.
-			' logging in as '.$form{'suname'});
-		    $form{'uname'}=$form{'suname'};
+			' logging in as '.$suname.':'.$sudom);
+		    $form{'uname'}=$suname;
+                    if ($form{'udom'} ne $sudom) {
+                        $form{'udom'}=$sudom;
+                    }
 		} else {
 		    &Apache::lonnet::logthis('Attempted switch user to privileged user');
 		}