Index: modules/node.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/node.module,v
retrieving revision 1.632
diff -u -p -r1.632 node.module
--- modules/node.module	14 Apr 2006 14:32:59 -0000	1.632
+++ modules/node.module	15 Apr 2006 03:05:33 -0000
@@ -2407,14 +2406,71 @@ function node_access_view_all_nodes() {
 }
 
 /**
+ * Generate an SQL join clause for use in fetching a menu item.
+ *
+ * @param $menu_alias
+ *   If the menu table has been given an SQL alias other than the default
+ *   "m", that must be passed here.
+ * @param $node_alias
+ *   If the node table has been given an SQL alias other than the default
+ *   "n", that must be passed here.
+ * @param $node_access_alias
+ *   If the node_access table has been given an SQL alias other than the default
+ *   "na", that must be passed here.
+ * @return
+ *   An SQL join clause.
+ */
+function _node_access_menu_join_sql($menu_alias = 'm', $node_alias = 'n', $node_access_alias = 'na') {
+  if (user_access('administer nodes')) {
+    return '';
+  }
+
+  return 'LEFT JOIN {node} '. $node_alias ." ON SUBSTRING_INDEX(SUBSTRING_INDEX($menu_alias.path, '/', 2), '/', -1) = ". $node_alias .'.nid LEFT JOIN {node_access} '. $node_access_alias .' ON '. $node_alias .'.nid = '. $node_access_alias .'.nid';
+}
+
+/**
+ * Generate an SQL where clause for use in fetching a node listing.
+ *
+ * @param $op
+ *   The operation that must be allowed to return a node.
+ * @param $menu_alias
+ *   If the menu table has been given an SQL alias other than the default
+ *   "m", that must be passed here.
+ * @param $node_alias
+ *   If the node table has been given an SQL alias other than the default
+ *   "n", that must be passed here.
+ * @param $node_access_alias
+ *   If the node_access table has been given an SQL alias other than the default
+ *   "na", that must be passed here.
+ * @return
+ *   An SQL where clause.
+ */
+function _node_access_menu_where_sql($op = 'view', $menu_alias = 'm', $node_alias = 'n', $node_access_alias = 'na', $uid = NULL) {
+  if (user_access('administer nodes')) {
+    return;
+  }
+
+  $sql = "$node_alias.nid IS NULL OR $menu_alias.path NOT RLIKE '^node/[0-9]+$' OR (". _node_access_where_sql($op, $node_access_alias, $uid) .')';
+  return $sql;
+}
+
+/**
  * Implementation of hook_db_rewrite_sql
  */
 function node_db_rewrite_sql($query, $primary_table, $primary_field) {
-  if ($primary_field == 'nid' && !node_access_view_all_nodes()) {
-    $return['join'] = _node_access_join_sql($primary_table);
-    $return['where'] = _node_access_where_sql();
-    $return['distinct'] = 1;
-    return $return;
+  if (!node_access_view_all_nodes()) {
+    if ($primary_field == 'nid') {
+      $return['join'] = _node_access_join_sql($primary_table);
+      $return['where'] = _node_access_where_sql();
+      $return['distinct'] = 1;
+      return $return;
+    }
+    else if ($primary_field == 'mid') {
+      $return['join'] = _node_access_menu_join_sql($primary_table);
+      $return['where'] = _node_access_menu_where_sql();
+      $return['distinct'] = 1;
+      return $return;
+    }
   }
 }