Drupal 7.5

2 files changed, 18 insertions, 1 deletions

diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index 8d0c3d362..9c31f4427 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -2681,6 +2681,10 @@ function comment_rdf_mapping() {
  */
 function comment_file_download_access($field, $entity_type, $entity) {
   if ($entity_type == 'comment') {
-    return user_access('access comments') && $entity->status == COMMENT_PUBLISHED || user_access('administer comments');
+    if (user_access('access comments') && $entity->status == COMMENT_PUBLISHED || user_access('administer comments')) {
+      $node = node_load($entity->nid);
+      return node_access('view', $node);
+    }
+    return FALSE;
   }
 }
diff --git a/modules/file/tests/file.test b/modules/file/tests/file.test
index ea8c5c67b..044c6f698 100644
--- a/modules/file/tests/file.test
+++ b/modules/file/tests/file.test
@@ -530,6 +530,7 @@ class FileFieldWidgetTestCase extends FileFieldTestCase {
       'title' => $this->randomName(),
     );
     $this->drupalPost('node/add/article', $edit, t('Save'));
+    $node = $this->drupalGetNodeByTitle($edit['title']);
 
     // Add a comment with a file.
     $text_file = $this->getTestFile('text');
@@ -559,6 +560,18 @@ class FileFieldWidgetTestCase extends FileFieldTestCase {
     $this->drupalLogout();
     $this->drupalGet(file_create_url($comment_file->uri));
     $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
+
+    // Unpublishes node.
+    $this->drupalLogin($this->admin_user);
+    $edit = array(
+      'status' => FALSE,
+    );
+    $this->drupalPost('node/' . $node->nid . '/edit', $edit, t('Save'));
+
+    // Ensures normal user can no longer download the file.
+    $this->drupalLogin($user);
+    $this->drupalGet(file_create_url($comment_file->uri));
+    $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
   }
 
 }