one of the documented procedures in this installation of the ACS
edu_subject_admin_security_check   db   subject_id
What it does:
This returns the user_id. It determines if the user is allowed to see the subject admin pages by seeing if they have admin in a department that has the subject.

If the user is not logged in they are redirected to the log in page.

If the user is not logged in as a member of a group, they are redirected to group-select.tcl and asked to select a group.

If they are logged in as a group, the security check is performed. If the user passes, the user_id is returned to the calling environment. If the user fails the security check, a standard UNAUTHORIZED message is displayed and the procedure forces the calling environment to return.

Defined in: /web/philip/tcl/education.tcl

Source code:

    # this should be altered if departments go to a multi-roled system 
    # (e.g. prof, staff, students)

    set user_id [ad_verify_and_get_user_id $db]

    if { [string compare $user_id "0"] == 0 } {
	ns_returnredirect "/register/index?return_url=[ns_urlencode [ns_conn url]?[ns_conn query]]"

    if {[ad_administrator_p $db $user_id]} {
	return $user_id

    # the user is not a site wide admin
    set department_id [ad_get_client_property education edu_department]

    if {[empty_string_p $department_id]} {
	ns_returnredirect "/education/util/group-select?type=edu_department&return_url=[ns_urlencode [ns_conn url]?[ns_conn query]]"
    } else {
	# now, we see if the user is an admin for a department that offers this
	# subject.  If not, we bounce them to group_select or display an error
	# depending on which is appropriate.

	set valid_p [database_to_tcl_string $db "select count(map.subject_id) 
                 from edu_subjects, 
                      edu_subject_department_map map,
                      user_group_map ugmap
                where edu_subjects.subject_id = map.subject_id
                  and map.subject_id = $subject_id
                  and ugmap.user_id = $user_id
                  and ugmap.group_id = map.department_id"] 

	if { $valid_p == 0 } {
	    # blow out of 2 levels
	    return -code return
	} else {
	    return $user_id