#45988, Nodes with menu items bypass node permissions system

patch by chx

includes/menu.inc

@@ -1210,6 +1210,16 @@ function _menu_append_contextual_items() {
       $new_items[$temp_mid] = $item;
       $temp_mid--;
     }
+    else {
+      $mid = $_menu['path index'][$item['path']];
+      if ($_menu['items'][$mid]['type'] & MENU_CREATED_BY_ADMIN) {
+        $_menu['items'][$mid]['access'] = $item['access'];
+        $_menu['items'][$mid]['callback'] = $item['callback'];
+        if (isset($_menu['items'][$mid]['callback arguments'])) {
+          $_menu['items'][$mid]['callback arguments'] = $item['callback arguments'];
+        }
+      }
+    }
   }
 
   // Establish parent-child relationships.

modules/node.module

@@ -946,7 +946,7 @@ function node_menu($may_cache) {
           'access' => node_access('view', $node),
           'type' => MENU_CALLBACK);
         $items[] = array('path' => 'node/'. arg(1) .'/view', 'title' => t('view'),
-            'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10, 'access' => node_access('view', $node));
+            'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
         $items[] = array('path' => 'node/'. arg(1) .'/edit', 'title' => t('edit'),
           'callback' => 'node_page',
           'access' => node_access('update', $node),

modules/node/node.module

@@ -946,7 +946,7 @@ function node_menu($may_cache) {
           'access' => node_access('view', $node),
           'type' => MENU_CALLBACK);
         $items[] = array('path' => 'node/'. arg(1) .'/view', 'title' => t('view'),
-            'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10, 'access' => node_access('view', $node));
+            'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
         $items[] = array('path' => 'node/'. arg(1) .'/edit', 'title' => t('edit'),
           'callback' => 'node_page',
           'access' => node_access('update', $node),