Drupal 7.19

2 files changed, 16 insertions, 0 deletions

diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc
index 583eb7a81..63a1d15a4 100644
--- a/modules/book/book.pages.inc
+++ b/modules/book/book.pages.inc
@@ -38,6 +38,15 @@ function book_render() {
  *   format determined by the $type parameter.
  */
 function book_export($type, $nid) {
+  // Check that the node exists and that the current user has access to it.
+  $node = node_load($nid);
+  if (!$node) {
+    return MENU_NOT_FOUND;
+  }
+  if (!node_access('view', $node)) {
+    return MENU_ACCESS_DENIED;
+  }
+
   $type = drupal_strtolower($type);
 
   $export_function = 'book_export_' . $type;
diff --git a/modules/book/book.test b/modules/book/book.test
index d1f527387..2708e3674 100644
--- a/modules/book/book.test
+++ b/modules/book/book.test
@@ -258,6 +258,13 @@ class BookTestCase extends DrupalWebTestCase {
     // Try getting the URL directly, and verify it fails.
     $this->drupalGet('book/export/html/' . $this->book->nid);
     $this->assertResponse('403', t('Anonymous user properly forbidden.'));
+
+    // Now grant anonymous users permission to view the printer-friendly
+    // version and verify that node access restrictions still prevent them from
+    // seeing it.
+    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
+    $this->drupalGet('book/export/html/' . $this->book->nid);
+    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
   }
 
   /**