From be34a0703fee1c92d947e362facd34c910e28f6f Mon Sep 17 00:00:00 2001
From: Manuel Cillero <manuel@cillero.es>
Date: Wed, 26 Jul 2017 11:54:56 +0200
Subject: [PATCH] Ensure access permissions to node comment

---
 modules/nodecomment/nodecomment.module | 44 +++++++++++++-------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/modules/nodecomment/nodecomment.module b/modules/nodecomment/nodecomment.module
index 44cf117..dde6a90 100644
--- a/modules/nodecomment/nodecomment.module
+++ b/modules/nodecomment/nodecomment.module
@@ -37,27 +37,27 @@ function nodecomment_nodeapi(&$node, $op, $arg = 0, $page = 0) {
 
     case 'delete':
       // If this node has own comments, delete them.
-      // For increased durability, don't add any checks here: it should help to 
+      // For increased durability, don't add any checks here: it should help to
       // deal with the orphan problem.
       _nodecomment_delete_comments($node->nid);
-      
+
       // If this is a comment, delete it and it's children comments from the thread.
       if (isset($node->comment_target_nid)) {
         _nodecomment_thread_delete_children($node->nid, $node->comment_target_nid);
-        
-        // For increased durability, delete node_comments entries one by one, 
-        // together with their nodes, even when mass deleting. 
+
+        // For increased durability, delete node_comments entries one by one,
+        // together with their nodes, even when mass deleting.
         db_query('DELETE FROM {node_comments} WHERE cid = %d', $node->nid);
-        
+
         _nodecomment_update_node_statistics($node->comment_target_nid);
       }
       break;
 
     case 'view':
-      // If this is a comment. 
+      // If this is a comment.
       if ($page && isset($node->comment_target_nid)) {
         // Redirect to target node, if needed.
-        // We could do it inside hook_init() but then we would add 1 query for 
+        // We could do it inside hook_init() but then we would add 1 query for
         // every node view, which is a tax it's better not to pay.
         if (variable_get('node_comment_node_redirect', TRUE)) {
           if (!nodecomment_is_content($node->type)) {
@@ -75,14 +75,14 @@ function nodecomment_nodeapi(&$node, $op, $arg = 0, $page = 0) {
 }
 
 function _nodecomment_nodeapi_load($node, $op, $arg, $page) {
-  // We want to process 3 cases: 
+  // We want to process 3 cases:
   // - node which is a node comment
   // - node which has node comments
   // - both
   $comment_types = nodecomment_get_comment_types();
   $node->comment_type = nodecomment_get_comment_type($node->type);
   $comment_data = array();
-  
+
   // Is this a comment type ?
   if (in_array($node->type, $comment_types)) {
     $query = "SELECT nc.nid AS comment_target_nid, nc.pid AS comment_target_cid,
@@ -90,7 +90,7 @@ function _nodecomment_nodeapi_load($node, $op, $arg, $page) {
               u.signature, u.signature_format
               FROM {node_comments} nc
               INNER JOIN {users} u ON nc.uid = u.uid
-              WHERE nc.cid = %d";  
+              WHERE nc.cid = %d";
     $comment_data = db_fetch_array(db_query($query, $node->nid));
     if ($comment_data) {
       // It's a node comment! Populate commenty stuff.
@@ -116,17 +116,17 @@ function _nodecomment_nodeapi_load($node, $op, $arg, $page) {
       );
     }
   }
-  
+
   // Does this node have node comments ?
   if ($node->comment_type) {
-    // Move $node->comment to $node->node_comment and set $node->comment 
+    // Move $node->comment to $node->node_comment and set $node->comment
     // to disabled to prevent core comment module messing with the node.
     // In presave nodeapi operation restore this setting.
     // In 3.x branch this is the only hack we do with core comment module.
     $node->node_comment = $node->comment;
     $node->comment = COMMENT_NODE_DISABLED;
   }
-  
+
   return $comment_data;
 }
 
@@ -150,12 +150,12 @@ function nodecomment_link($type, $node = NULL, $teaser = FALSE) {
   if ($type != 'node') {
     return;
   }
-  
+
   if (isset($node->comment_target_nid)) {
     // This node is a comment to a parent node.
     _nodecomment_comment_links($links, $node, $teaser);
   }
-  
+
   if (!empty($node->comment_type)) {
     // This node can have node comments, read only or writable.
     _nodecomment_node_links($links, $node, $teaser);
@@ -170,7 +170,7 @@ function _nodecomment_comment_links(&$links, &$node, $teaser) {
   // But the core comment does the same.
   // Fixing this properly will require an advanced node access module.
   $target_node = node_load($node->comment_target_nid);
-  if ($target_node && nodecomment_is_readwrite($target_node)) {
+  if ($target_node && $target_node->status == 1 && nodecomment_is_readwrite($target_node)) {
     if (node_access('update', $node)) {
       $links['comment_edit'] = array(
         'title' => t('edit'),
@@ -185,7 +185,7 @@ function _nodecomment_comment_links(&$links, &$node, $teaser) {
         'query' => drupal_get_destination(),
       );
     }
-    // Show comment reply links in threaded mode. In flat mode we only 
+    // Show comment reply links in threaded mode. In flat mode we only
     // hide the link: separate comment reply pages are always accessible.
     $mode = _comment_get_display_setting('mode', $node);
     $flat = in_array($mode, array(COMMENT_MODE_FLAT_COLLAPSED, COMMENT_MODE_FLAT_EXPANDED));
@@ -254,7 +254,7 @@ function _nodecomment_node_links(&$links, &$node, $teaser) {
     // The user can't create the comment nodetype.
     elseif ($user->uid == 0) {
       // Show anonymous users the chance to login or register
-      // We cannot use drupal_get_destination() because these links sometimes 
+      // We cannot use drupal_get_destination() because these links sometimes
       // appear on /node and taxonomy listing pages.
       if (variable_get('comment_form_location_'. $node->type, COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) {
         $destination = 'destination='. drupal_urlencode('node/add/'. str_replace('_', '-', $comment_type) .'/'. $node->nid);
@@ -350,12 +350,12 @@ function _nodecomment_node_add_access($op, $type) {
   // Note: menu callbacks receive proper type with underscores instead of
   // hyphens because Node module creates menu items with predefined
   // callback arguments rather than lets callback fetch argument from the url.
-  
+
   // Don't allow to add nodecomments without comment context.
   //
   // TODO: we may want to allow this later, if we want to add comments
   // that are "content" by our terms without comment context.
-  // But before doing so, we need to be sure that our nodeapi & nodecomment 
+  // But before doing so, we need to be sure that our nodeapi & nodecomment
   // logics can handle that.
   if (!is_numeric(arg(3))) {
     return FALSE;
@@ -415,7 +415,7 @@ function nodecomment_views_pre_build(&$view) {
 
 /**
  * Implementation of hook_node_type().
- * 
+ *
  * Update nodecomment variables when node type information changes.
  */
 function nodecomment_node_type($op, $info) {