diff options
author | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2013-01-16 16:45:48 -0500 |
commit | 1d4604da252f0e6e19339957ec214388f61b908d (patch) | |
tree | 70f9fcda3737207074200a44e7cf949aebc60c66 /modules/book | |
parent | b47f95d3013619e33cafdf8b769b2b6179a07956 (diff) | |
download | brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.gz brdo-1d4604da252f0e6e19339957ec214388f61b908d.tar.bz2 |
Drupal 7.19
Diffstat (limited to 'modules/book')
-rw-r--r-- | modules/book/book.pages.inc | 9 | ||||
-rw-r--r-- | modules/book/book.test | 7 |
2 files changed, 16 insertions, 0 deletions
diff --git a/modules/book/book.pages.inc b/modules/book/book.pages.inc index 583eb7a81..63a1d15a4 100644 --- a/modules/book/book.pages.inc +++ b/modules/book/book.pages.inc @@ -38,6 +38,15 @@ function book_render() { * format determined by the $type parameter. */ function book_export($type, $nid) { + // Check that the node exists and that the current user has access to it. + $node = node_load($nid); + if (!$node) { + return MENU_NOT_FOUND; + } + if (!node_access('view', $node)) { + return MENU_ACCESS_DENIED; + } + $type = drupal_strtolower($type); $export_function = 'book_export_' . $type; diff --git a/modules/book/book.test b/modules/book/book.test index d1f527387..2708e3674 100644 --- a/modules/book/book.test +++ b/modules/book/book.test @@ -258,6 +258,13 @@ class BookTestCase extends DrupalWebTestCase { // Try getting the URL directly, and verify it fails. $this->drupalGet('book/export/html/' . $this->book->nid); $this->assertResponse('403', t('Anonymous user properly forbidden.')); + + // Now grant anonymous users permission to view the printer-friendly + // version and verify that node access restrictions still prevent them from + // seeing it. + user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version')); + $this->drupalGet('book/export/html/' . $this->book->nid); + $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.'); } /** |