--- loncom/auth/lonroles.pm	2014/02/28 19:19:41	1.298
+++ loncom/auth/lonroles.pm	2014/03/25 09:29:43	1.300
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # User Roles Screen
 #
-# $Id: lonroles.pm,v 1.298 2014/02/28 19:19:41 bisitz Exp $
+# $Id: lonroles.pm,v 1.300 2014/03/25 09:29:43 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -664,11 +664,22 @@ ENDENTERKEY
 					}
 				    }
 				}
-# Are we allowed to look at the first resource?
-				if ($furl !~ m|^/adm/|) {
-# Guess not ...
-				    $furl=&Apache::lonpageflip::first_accessible_resource();
-				}
+                                # Are we allowed to look at the first resource?
+                                if ($furl =~ m{^(/adm/wrapper|)/ext/}) {
+                                    # If it's an external resource,
+                                    # strip off the symb argument and possible query
+                                    my ($exturl,$symb) = ($furl =~ m{^(.+)(?:\?|\&)symb=(.+)$});
+                                    # Unencode $symb
+                                    $symb = &unescape($symb);
+                                    # Then check for permission
+                                    if (!&Apache::lonnet::allowed('bre',$exturl,$symb)) {
+                                        $furl = &Apache::lonpageflip::first_accessible_resource();
+                                    }
+                                # For other resources just check for permission
+                                } elsif (!&Apache::lonnet::allowed('bre',$furl)) {
+                                    $furl = &Apache::lonpageflip::first_accessible_resource();
+                                }
+ 
                                 $msg = &mt('Entering [_1] ...',
 					   $env{'course.'.$cdom.'_'.$cnum.'.description'});
 				&redirect_user($r, &mt('Entering [_1]',