diff --git a/cups/dest.c b/cups/dest.c
index eafb24155..38dd66436 100644
--- a/cups/dest.c
+++ b/cups/dest.c
@@ -69,6 +69,8 @@ typedef struct _cups_dnssd_data_s	// Enumeration data
   cups_array_t		*devices;	// Devices found so far
   int			num_dests;	// Number of lpoptions destinations
   cups_dest_t		*dests;		// lpoptions destinations
+  int                   num_local;      // Number of local cupsd queues
+  cups_dest_t           *local_dests;   // Local cupsd queues
   char			def_name[1024],	// Default printer name, if any
 			*def_instance;	// Default printer instance, if any
 } _cups_dnssd_data_t;
@@ -2845,6 +2847,26 @@ cups_dest_query_cb(
         if (!have_pdf && !have_raster)
           device->state = _CUPS_DNSSD_INCOMPATIBLE;
       }
+      else if (!_cups_strcasecmp(key, "rp"))
+      {
+        // Suppress local printer being re-discovered via DNS-SD
+        const char *rp_name = value;
+        int        i;
+
+        if (!_cups_strncasecmp(rp_name, "printers/", 9))
+          rp_name += 9;
+
+        for (i = 0; i < data->num_local; i++)
+        {
+          if (!_cups_strcasecmp(rp_name, data->local_dests[i].name))
+          {
+            device->state = _CUPS_DNSSD_INCOMPATIBLE;
+            DEBUG_printf("6cups_dest_query_cb: "
+                "Suppressing local printer '%s'.", rp_name);
+            break;
+          }
+        }
+      }
       else if (!_cups_strcasecmp(key, "printer-type"))
       {
         // Value is either NNNN or 0xXXXX
@@ -3177,6 +3199,8 @@ cups_enum_dests(
   {
     // Get the list of local printers and pass them to the callback function...
     num_dests = _cupsGetDests(http, IPP_OP_CUPS_GET_PRINTERS, NULL, &dests, data.type, data.mask);
+    data.num_local   = num_dests;
+    data.local_dests = dests;
 
     if (data.def_name[0])
     {
diff --git a/scheduler/auth.c b/scheduler/auth.c
index f8787f563..3cf111009 100644
--- a/scheduler/auth.c
+++ b/scheduler/auth.c
@@ -2000,40 +2000,64 @@ cupsdIsAuthorized(cupsd_client_t *con,	/* I - Connection */
       }
 #endif /* HAVE_AUTHORIZATION_H */
 
+      
+      int name_result = 0; // 0=not matched, 1=matched
+
+      
       for (name = (char *)cupsArrayFirst(best->names);
-	   name;
-	   name = (char *)cupsArrayNext(best->names))
+           name;
+           name = (char *)cupsArrayNext(best->names))
       {
-	if (!_cups_strcasecmp(name, "@OWNER") && owner &&
-	    ((pw && !strcmp(pw->pw_name, ownername)) ||
-	     (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
-	  return (HTTP_STATUS_OK);
-	else if (!_cups_strcasecmp(name, "@SYSTEM"))
-	{
-	  /* Do @SYSTEM later, when every other entry fails */
-	  continue;
-	}
-	else if (name[0] == '@')
-	{
-	  if (cupsdCheckGroup(username, pw, name + 1))
-	    return (HTTP_STATUS_OK);
-	}
-	else if (pw && !strcmp(pw->pw_name, name))
-	  return (HTTP_STATUS_OK);
-	else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
-	  return (HTTP_STATUS_OK);
+        if (!_cups_strcasecmp(name, "@SYSTEM"))
+          continue; // baad mein check hoga
+
+        if (!_cups_strcasecmp(name, "@OWNER") && owner &&
+            ((pw && !strcmp(pw->pw_name, ownername)) ||
+             (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, ownername))))
+        {
+          name_result = 1;
+        }
+        else if (name[0] == '@')
+        {
+          if (cupsdCheckGroup(username, pw, name + 1))
+            name_result = 1;
+        }
+        else if (pw && !strcmp(pw->pw_name, name))
+          name_result = 1;
+        else if (!pw && type == CUPSD_AUTH_NONE && !_cups_strcasecmp(username, name))
+          name_result = 1;
       }
 
+      // @SYSTEM check
       for (name = (char *)cupsArrayFirst(best->names);
-	   name;
-	   name = (char *)cupsArrayNext(best->names))
+           name;
+           name = (char *)cupsArrayNext(best->names))
       {
-	if (!_cups_strcasecmp(name, "@SYSTEM"))
-	{
-	  for (i = 0; i < NumSystemGroups; i ++)
-	    if (cupsdCheckGroup(username, pw, SystemGroups[i]) && check_admin_access(con))
-	      return (HTTP_STATUS_OK);
-	}
+        if (!_cups_strcasecmp(name, "@SYSTEM"))
+        {
+          for (i = 0; i < NumSystemGroups; i ++)
+          {
+            if (cupsdCheckGroup(username, pw, SystemGroups[i]) && check_admin_access(con))
+            {
+              name_result = 1;
+              break;
+            }
+          }
+        }
+      }
+
+      
+      if (best->satisfy == CUPSD_AUTH_SATISFY_ALL)
+      {
+        if (name_result)
+          return (HTTP_STATUS_OK);
+        else
+          return (HTTP_STATUS_FORBIDDEN);
+      }
+      else
+      {
+        if (name_result)
+          return (HTTP_STATUS_OK);
       }
     }
     else
diff --git a/scheduler/conf.c b/scheduler/conf.c
index e55afdbd7..cc00742cb 100644
--- a/scheduler/conf.c
+++ b/scheduler/conf.c
@@ -2453,9 +2453,17 @@ parse_aaa(cupsd_location_t *loc,	/* I - Location */
 
     if (!_cups_strcasecmp(value, "valid-user") ||
         !_cups_strcasecmp(value, "user"))
-      loc->level = CUPSD_AUTH_USER;
+    {
+      // Only set level if not already set to USER
+      if (loc->level == CUPSD_AUTH_ANON)
+        loc->level = CUPSD_AUTH_USER;
+    }
     else if (!_cups_strcasecmp(value, "group"))
-      loc->level = CUPSD_AUTH_GROUP;
+    {
+      // Only upgrade to GROUP if no USER level set yet
+      if (loc->level == CUPSD_AUTH_ANON)
+        loc->level = CUPSD_AUTH_GROUP;
+    }
     else
     {
       cupsdLogMessage(CUPSD_LOG_WARN, "Unknown Require type %s on line %d of %s.",