2 files changed, 18 insertions, 1 deletions

diff --git a/modules/menu/menu.module b/modules/menu/menu.module
index 644479122..dc8f015dc 100644
--- a/modules/menu/menu.module
+++ b/modules/menu/menu.module
@@ -69,7 +69,7 @@ function menu_menu() {
     'title' => 'Parent menu items',
     'page callback' => 'menu_parent_options_js',
     'type' => MENU_CALLBACK,
-    'access arguments' => array(TRUE),
+    'access arguments' => array('administer menu'),
   );
   $items['admin/structure/menu/list'] = array(
     'title' => 'List menus',
diff --git a/modules/menu/menu.test b/modules/menu/menu.test
index 95e0ee9ea..a9bdb5f27 100644
--- a/modules/menu/menu.test
+++ b/modules/menu/menu.test
@@ -514,6 +514,23 @@ class MenuTestCase extends DrupalWebTestCase {
   }
 
   /**
+   * Test administrative users other than user 1 can access the menu parents AJAX callback.
+   */
+  public function testMenuParentsJsAccess() {
+    $admin = $this->drupalCreateUser(array('administer menu'));
+    $this->drupalLogin($admin);
+    // Just check access to the callback overall, the POST data is irrelevant.
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(200);
+
+    // Do standard user tests.
+    // Login the user.
+    $this->drupalLogin($this->std_user);
+    $this->drupalGetAJAX('admin/structure/menu/parents');
+    $this->assertResponse(403);
+  }
+
+  /**
    * Get standard menu link.
    */
   private function getStandardMenuLink() {