--- loncom/interface/lonmenu.pm	2017/04/10 05:37:47	1.369.2.71
+++ loncom/interface/lonmenu.pm	2018/09/03 14:30:16	1.369.2.72
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Routines to control the menu
 #
-# $Id: lonmenu.pm,v 1.369.2.71 2017/04/10 05:37:47 raeburn Exp $
+# $Id: lonmenu.pm,v 1.369.2.72 2018/09/03 14:30:16 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -499,6 +499,8 @@ sub secondary_menu {
                         next if ($item->[2] eq 'mgr' && !$canmgr);
                         next if ($item->[2] eq 'vcg' && !$canviewgrps);
                         next if ($item->[2] eq 'crsedit' && !$canedit && !$canvieweditor);
+                        next if ($item->[2] eq 'author' && !$author);
+                        next if ($item->[2] eq 'cca' && !$canmodifycoauthor);
                         push(@scndsub,$item); 
                     }
                 }
@@ -528,6 +530,7 @@ sub secondary_menu {
                 } else {
                     $$menuitem[0] =~ s{\?register=1}{};
                 }
+                $$menuitem[0] = &HTML::Entities::encode($$menuitem[0],'&<>"');
             }
             $menu .= &prep_menuitem(\@$menuitem);
         }
@@ -546,7 +549,7 @@ sub secondary_menu {
             my $londocroot = $Apache::lonnet::perlvar{'lonDocRoot'};
             ($escurl = $env{'request.filename'}) =~ s{^\Q$londocroot\E}{};
             $escurl  = &escape($escurl);
-        }    
+        }
         $menu =~ s/\[url\]/$escurl/g;
         $menu =~ s/\[symb\]/$escsymb/g;
     }
@@ -635,6 +638,20 @@ sub build_submenu {
                     next unless (($env{'user.name'} ne '') && ($env{'user.domain'} ne ''));
                     $href =~ s/\[domain\]/$env{'user.domain'}/g;
                     $href =~ s/\[user\]/$env{'user.name'}/g;
+                } elsif (($href =~ m{^/adm/preferences\?}) && ($href =~ /\[returnurl\]/)) {
+                    my $returnurl = $ENV{'REQUEST_URI'};
+                    if ($ENV{'REQUEST_URI'} =~ m{/adm/preferences\?action=(?:changedomcoord|authorsettings)\&returnurl=([^\&]+)$}) {
+                        $returnurl = $1;
+                    }
+                    if (($returnurl =~ m{^/adm/createuser($|\?action=)}) ||
+                        ($returnurl =~ m{^/priv/$match_domain/$match_username}) ||
+                        ($returnurl =~ m{^/res(/?$|/$match_domain/$match_username)})) {
+                        $returnurl =~ s{\?.*$}{};
+                        $returnurl = '&amp;returnurl='.&HTML::Entities::encode($returnurl,'"<>&\'');
+                    } else {
+                        undef($returnurl);
+                    }
+                    $href =~ s/\[returnurl\]/$returnurl/;
                 }
                 unless (($href eq '') || ($href =~ /^\#/)) {
                     $target = ' target="_top"';