Index: modules/block/block.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.module,v
retrieving revision 1.411
diff -u -p -r1.411 block.module
--- modules/block/block.module	7 Mar 2010 23:14:20 -0000	1.411
+++ modules/block/block.module	8 Mar 2010 04:05:19 -0000
@@ -428,7 +428,6 @@ function block_custom_block_form($edit =
     '#description' => t('The content of the block as shown to the user.'),
     '#required' => TRUE,
     '#weight' => -17,
-    '#access' => filter_access(filter_format_load($edit['format'])),
   );
 
   return $form;
Index: modules/block/block.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/block/block.test,v
retrieving revision 1.44
diff -u -p -r1.44 block.test
--- modules/block/block.test	7 Mar 2010 23:14:20 -0000	1.44
+++ modules/block/block.test	8 Mar 2010 04:11:04 -0000
@@ -105,7 +105,7 @@ class BlockTestCase extends DrupalWebTes
     $block_admin = $this->drupalCreateUser(array('administer blocks'));
     $this->drupalLogin($block_admin);
     $this->drupalGet('admin/structure/block/manage/block/' . $bid . '/configure');
-    $this->assertNoText(t('Block body'));
+    $this->assertFieldByXPath("//textarea[@name='body' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Body field contains denied message'));
     $this->drupalPost('admin/structure/block/manage/block/' . $bid . '/configure', array(), t('Save block'));
     $this->assertNoText(t('Ensure that each block description is unique.'));
 
Index: modules/filter/filter.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/filter/filter.module,v
retrieving revision 1.322
diff -u -p -r1.322 filter.module
--- modules/filter/filter.module	8 Mar 2010 03:59:25 -0000	1.322
+++ modules/filter/filter.module	8 Mar 2010 04:05:19 -0000
@@ -849,6 +849,36 @@ function filter_process_format($element)
     '#weight' => 0,
   );
 
+  // Lastly, disallow editing of this field if the user is not allowed to use
+  // the stored text format.
+  if (!isset($formats[$element['#format']])) {
+    // Overload default values into #value to make them unalterable.
+    $element['value']['#value'] = $element['value']['#default_value'];
+    $element['format']['format']['#value'] = $element['format']['format']['#default_value'];
+
+    // Prepend #pre_render callback to replace field value with user notice
+    // prior rendering.
+    if (!isset($element['value']['#pre_render'])) {
+      $element['value']['#pre_render'] = array();
+    }
+    array_unshift($element['value']['#pre_render'], 'filter_form_access_denied');
+
+    // Cosmetical adjustments.
+    if (isset($element['value']['#rows'])) {
+      $element['value']['#rows'] = 3;
+    }
+    $element['value']['#disabled'] = TRUE;
+    $element['value']['#resizable'] = FALSE;
+
+    // Hide the text format selector and any other child element (such as text
+    // field's summary).
+    foreach (element_children($element) as $key) {
+      if ($key != 'value') {
+        $element[$key]['#access'] = FALSE;
+      }
+    }
+  }
+
   return $element;
 }
 
@@ -885,6 +915,22 @@ function filter_form_after_build($elemen
 }
 
 /**
+ * #pre_render callback for #type 'text_format' to hide field value from prying eyes.
+ *
+ * To not break form processing and previews if a user does not have access to a
+ * stored text format, the expanded form elements in filter_process_format() are
+ * forced to take over the stored #default_values for 'value' and 'format'.
+ * However, to prevent the unfiltered, original #value from being displayed to
+ * the user, we replace it with a friendly notice here.
+ *
+ * @see filter_process_format()
+ */
+function filter_form_access_denied($element) {
+  $element['#value'] = t('This field has been disabled because you do not have sufficient permissions to edit it.');
+  return $element;
+}
+
+/**
  * Render a text format-enabled form element.
  *
  * @param $variables
Index: modules/node/node.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/node/node.test,v
retrieving revision 1.76
diff -u -p -r1.76 node.test
--- modules/node/node.test	6 Mar 2010 06:39:00 -0000	1.76
+++ modules/node/node.test	8 Mar 2010 04:05:19 -0000
@@ -358,8 +358,14 @@ class PagePreviewTestCase extends Drupal
   function setUp() {
     parent::setUp();
 
-    $web_user = $this->drupalCreateUser(array('edit own page content', 'create page content'));
-    $this->drupalLogin($web_user);
+    $this->full_html_format = db_query_range('SELECT * FROM {filter_format} WHERE name = :name', 0, 1, array(':name' => 'Full HTML'))->fetchObject();
+    $this->admin_user = $this->drupalCreateUser(array(
+      'edit any page content',
+      'create page content',
+      filter_permission_name($this->full_html_format),
+    ));
+    $this->web_user = $this->drupalCreateUser(array('edit own page content', 'create page content'));
+    $this->drupalLogin($this->web_user);
   }
 
   /**
@@ -415,6 +421,49 @@ class PagePreviewTestCase extends Drupal
     // Check that the log field has the correct value.
     $this->assertFieldByName('log', $edit['log'], t('Log field displayed.'));
   }
+
+  /**
+   * Test editing a page using a disallowed text format.
+   *
+   * Verifies that a regular user is able to edit a page, but is not allowed to
+   * change the fields which use an inaccessible text format.
+   */
+  function testPageEditLimitedPermission() {
+    $langcode = LANGUAGE_NONE;
+    $title_key = "title";
+    $body_value_key = "body[$langcode][0][value]";
+    $body_format_key = "body[$langcode][0][format]";
+
+    $moderator = $this->drupalCreateUser(array('edit any page content', 'create page content'));
+
+    // Create node to edit.
+    $this->drupalLogin($this->admin_user);
+    $edit = array();
+    $edit['title'] = $this->randomName(8);
+    $edit[$body_value_key] = $this->randomName(16);
+    $edit[$body_format_key] = $this->full_html_format->format;
+    $this->drupalPost('node/add/page', $edit, t('Save'));
+    $node = $this->drupalGetNodeByTitle($edit['title']);
+
+    // Try to edit with normal user
+    $this->drupalLogin($moderator);
+    $this->drupalGet("node/$node->nid");
+    $this->clickLink(t('Edit'));
+
+    // Verify that body field is read-only and contains replacement value.
+    $this->assertFieldByXPath("//textarea[@name='$body_value_key' and @disabled='disabled']", t('This field has been disabled because you do not have sufficient permissions to edit it.'), t('Body field contains denied message'));
+
+    // Verify that title can be changed, but preview displays original body.
+    $new_edit = array();
+    $new_edit['title'] = $this->randomName(8);
+    $this->drupalPost(NULL, $new_edit, t('Preview'));
+    $this->assertText($edit[$body_value_key], t('Old body found in preview.'));
+
+    // Save and verify that only the title was changed.
+    $this->drupalPost(NULL, $new_edit, t('Save'));
+    $this->assertText($new_edit['title'], t('New title found.'));
+    $this->assertText($edit[$body_value_key], t('Old body found.'));
+  }
 }
 
 class NodeCreationTestCase extends DrupalWebTestCase {