Without this fix, institution admins can login as site admins and do
other such administrative tasks (e.g. reset their password), if the site
admin joins their institution.

Reported by Ruslan Kabalin <r.kabalin@lancaster.ac.uk>, who supplied a
patch. My patch skips adding an extra method to find out if a given user
is an admin, though it's not any more performant.

Signed-off-by: Nigel McNie <nigel@catalyst.net.nz>