Index: modules/dashboard/dashboard.info
===================================================================
RCS file: /cvs/drupal/drupal/modules/dashboard/dashboard.info,v
retrieving revision 1.3
diff -u -p -r1.3 dashboard.info
--- modules/dashboard/dashboard.info	26 Nov 2009 06:59:07 -0000	1.3
+++ modules/dashboard/dashboard.info	26 May 2010 21:50:29 -0000
@@ -5,5 +5,6 @@ core = 7.x
 package = Core
 version = VERSION
 files[] = dashboard.module
+files[] = dashboard.test
 dependencies[] = block
 configure = admin/dashboard/customize
Index: modules/dashboard/dashboard.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/dashboard/dashboard.module,v
retrieving revision 1.29
diff -u -p -r1.29 dashboard.module
--- modules/dashboard/dashboard.module	18 May 2010 12:07:39 -0000	1.29
+++ modules/dashboard/dashboard.module	26 May 2010 21:50:30 -0000
@@ -235,13 +235,35 @@ function dashboard_admin($launch_customi
 }
 
 /**
- * Returns TRUE if the user is currently viewing the dashboard.
+ * Determines if the dashboard should be displayed on the current page.
+ *
+ * This function checks if the user is currently viewing the dashboard and has
+ * access to see it. It is used by other functions in the dashboard module to
+ * decide whether or not the dashboard content should be displayed to the
+ * current user.
+ *
+ * Although the menu system normally handles the above tasks, it only does so
+ * for the main page content. However, the dashboard is not part of the main
+ * page content, but rather is displayed in special regions of the page (so it
+ * can interface with the Block module's method of managing page regions). We
+ * therefore need to maintain this separate function to check the menu item for
+ * us.
+ *
+ * @return
+ *   TRUE if the dashboard should be visible on the current page, FALSE
+ *   otherwise.
+ *
+ * @see dashboard_block_list_alter()
+ * @see dashboard_page_build()
  */
 function dashboard_is_visible() {
   static $is_visible;
   if (!isset($is_visible)) {
+    // If the current menu item represents the page on which we want to display
+    // the dashboard, and if the current user has access to see it, return
+    // TRUE.
     $menu_item = menu_get_item();
-    $is_visible = isset($menu_item['page_callback']) && $menu_item['page_callback'] == 'dashboard_admin';
+    $is_visible = isset($menu_item['page_callback']) && $menu_item['page_callback'] == 'dashboard_admin' && !empty($menu_item['access']);
   }
   return $is_visible;
 }
Index: modules/dashboard/dashboard.test
===================================================================
RCS file: modules/dashboard/dashboard.test
diff -N modules/dashboard/dashboard.test
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ modules/dashboard/dashboard.test	26 May 2010 21:50:30 -0000
@@ -0,0 +1,60 @@
+<?php
+// $Id$
+
+/**
+ * @file
+ * Tests for the dashboard module.
+ */
+
+class DashboardAccessTestCase extends DrupalWebTestCase {
+  public static function getInfo() {
+    return array(
+      'name' => 'Dashboard access',
+      'description' => 'Test access control for the dashboard.',
+      'group' => 'Dashboard',
+    );
+  }
+
+  function setUp() {
+    parent::setUp();
+
+    // Create and log in an administrative user having access to the dashboard.
+    $admin_user = $this->drupalCreateUser(array('access administration pages', 'administer blocks'));
+    $this->drupalLogin($admin_user);
+
+    // Make sure that the dashboard is using the same theme as the rest of the
+    // site (and in particular, the same theme used on 403 pages). This forces
+    // the dashboard blocks to be the same for an administrator as for a
+    // regular user, and therefore lets us test that the dashboard blocks
+    // themselves are specifically removed for a user who does not have access
+    // to the dashboard page.
+    theme_enable(array('stark'));
+    variable_set('theme_default', 'stark');
+    variable_set('admin_theme', 'stark');
+  }
+
+  /**
+   * Test adding a block to the dashboard and checking access to it.
+   */
+  function testDashboardAccess() {
+    // Add a new custom block to a dashboard region.
+    $custom_block = array();
+    $custom_block['info'] = $this->randomName(8);
+    $custom_block['title'] = $this->randomName(8);
+    $custom_block['body[value]'] = $this->randomName(32);
+    $custom_block['regions[stark]'] = 'dashboard_main';
+    $this->drupalPost('admin/structure/block/add', $custom_block, t('Save block'));
+
+    // Ensure admin access.
+    $this->drupalGet('admin');
+    $this->assertResponse(200, t('Admin has access to the dashboard.'));
+    $this->assertRaw($custom_block['title'], t('Admin has access to a dashboard block.'));
+
+    // Ensure non-admin access is denied.
+    $normal_user = $this->drupalCreateUser();
+    $this->drupalLogin($normal_user);
+    $this->drupalGet('admin');
+    $this->assertResponse(403, t('Non-admin has no access to the dashboard.'));
+    $this->assertNoText($custom_block['title'], t('Non-admin has no access to a dashboard block.'));
+  }
+}