Issue #1890748 by mark.lindsey, hefox, pwolanin, David_Rothstein, klausi:...

Issue #1890748 by mark.lindsey, hefox, pwolanin, David_Rothstein, klausi: Fixed Printer Friendly Version of Book Does Not Take Into Account Node Access.

core/modules/book/book.module

@@ -166,10 +166,11 @@ function book_menu() {
     'type' => MENU_SUGGESTED_ITEM,
     'file' => 'book.pages.inc',
   );
-  $items['book/export/%/%'] = array(
+  $items['book/export/%/%node'] = array(
     'page callback' => 'book_export',
     'page arguments' => array(2, 3),
-    'access arguments' => array('access printer-friendly version'),
+    'access callback' => 'book_export_access',
+    'access arguments' => array(3),
     'type' => MENU_CALLBACK,
     'file' => 'book.pages.inc',
   );
@@ -195,6 +196,16 @@ function book_menu() {
   return $items;
 }
 
+/**
+ * Access callback: Determines if the book export page is accessible.
+ *
+ * @param \Drupal\node\Plugin\Core\Entity\Node $node
+ *   The node whose export page is to be viewed.
+ */
+function book_export_access(Node $node) {
+  return user_access('access printer-friendly version') && node_access('view', $node);
+}
+
 /**
  * Access callback: Determines if the outline tab is accessible.
  *

core/modules/book/book.pages.inc

@@ -39,8 +39,8 @@ function book_render() {
  *   currently supported in book module:
  *   - html: Printer-friendly HTML.
  *   Other types may be supported in contributed modules.
- * @param $nid
- *   An integer representing the node id (nid) of the node to export
+ * @param \Drupal\node\Plugin\Core\Entity\Node $node
+ *   The node to export.
  *
  * @return
  *   A string representing the node and its children in the book hierarchy in a
@@ -50,13 +50,13 @@ function book_render() {
  *
  * @see book_menu()
  */
-function book_export($type, $nid) {
+function book_export($type, Node $node) {
   $type = drupal_strtolower($type);
 
   $export_function = 'book_export_' . $type;
 
   if (function_exists($export_function)) {
-    print call_user_func($export_function, $nid);
+    print call_user_func($export_function, $node);
   }
   else {
     drupal_set_message(t('Unknown export format.'));
@@ -74,8 +74,8 @@ function book_export($type, $nid) {
  * look like level 3 sections, no matter their depth relative to the node
  * selected to be exported as printer-friendly HTML.
  *
- * @param $nid
- *   An integer representing the node id (nid) of the node to export.
+ * @param \Drupal\node\Plugin\Core\Entity\Node
+ *   The node to export.
  *
  * @return
  *   A string containing HTML representing the node and its children in
@@ -84,9 +84,8 @@ function book_export($type, $nid) {
  * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
  * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
  */
-function book_export_html($nid) {
+function book_export_html(Node $node) {
   if (user_access('access printer-friendly version')) {
-    $node = node_load($nid);
     if (isset($node->book)) {
       $tree = book_menu_subtree_data($node->book);
       $contents = book_export_traverse($tree, 'book_node_export');

core/modules/book/lib/Drupal/book/Tests/BookTest.php

@@ -301,6 +301,13 @@ function testBookExport() {
     // Try getting the URL directly, and verify it fails.
     $this->drupalGet('book/export/html/' . $this->book->nid);
     $this->assertResponse('403', 'Anonymous user properly forbidden.');
+
+    // Now grant anonymous users permission to view the printer-friendly
+    // version and verify that node access restrictions still prevent them from
+    // seeing it.
+    user_role_grant_permissions(DRUPAL_ANONYMOUS_RID, array('access printer-friendly version'));
+    $this->drupalGet('book/export/html/' . $this->book->nid);
+    $this->assertResponse('403', 'Anonymous user properly forbidden from seeing the printer-friendly version when denied by node access.');
   }
 
   /**