Index: modules/system/system.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/system/system.module,v
retrieving revision 1.561
diff -u -p -r1.561 system.module
--- modules/system/system.module	14 Dec 2007 18:08:48 -0000	1.561
+++ modules/system/system.module	17 Dec 2007 02:12:22 -0000
@@ -261,13 +261,13 @@ function system_menu() {
   );
 
   foreach (list_themes() as $theme) {
-    if ($theme->status) {
-      $items['admin/build/themes/settings/'. $theme->name] = array(
-        'title' => $theme->info['name'],
-        'page arguments' => array('system_theme_settings', $theme->name),
-        'type' => MENU_LOCAL_TASK,
-      );
-    }
+   $items['admin/build/themes/settings/'. $theme->name] = array(
+      'title' => check_plain($theme->info['name']),
+      'page arguments' => array('system_theme_settings', $theme->name),
+      'type' => MENU_LOCAL_TASK,
+      'access callback' => '_system_themes_access',
+      'access arguments' => array($theme),
+    );
   }
 
   // Modules:
@@ -459,6 +459,13 @@ function system_menu() {
   return $items;
 }
 
+ /**
++ * Menu item access callback - only admin or enabled themes can be accessed
++ */
+function _system_themes_access($theme) {
+  return $theme->status || $theme->name == variable_get('admin_theme', '0');
+}
+
 function system_init() {
   // Use the administrative theme if the user is looking at a page in the admin/* path.
   if (arg(0) == 'admin' || (variable_get('node_admin_theme', '0') && arg(0) == 'node' && (arg(1) == 'add' || arg(2) == 'edit'))) {