Index: workflow.module
===================================================================
RCS file: /cvs/drupal-contrib/contributions/modules/workflow/workflow.module,v
--- workflow.module	6 May 2008 16:50:48 -0000	1.54.2.28
+++ workflow.module	27 May 2008 22:36:32 -0000
@@ -373,6 +373,21 @@
       workflow_execute_transition($node, $sid, $node->workflow_comment);
     }
     else {
+      global $user;
+      $state_name = db_result(db_query('SELECT state FROM {workflow_states} WHERE sid = %d', $sid));
+      $old_sid = workflow_node_current_state($node);
+      $tid = workflow_get_transition_id($old_sid, $sid);
+      // Check immediately for permission to change state
+      $roles = array_keys($user->roles);
+      if (($user->uid == $node->uid && $node->uid > 0) || (arg(0) == 'node' && arg(1) == 'add')) {
+        $roles += array('author');
+      }
+      if (!workflow_transition_allowed($tid, $roles)) {
+        drupal_set_message(t("You do not have permissions to change the state of this node to @state_name.", array( "@state_name" => $state_name )), 'error');
+        watchdog('workflow', t('User %user not allowed to go from state %old to %new', array('%user' => $user->name, '%old' => $old_sid, '%new' => $sid)), WATCHDOG_NOTICE);
+        return;
+      }
+
       // Schedule the the time to change the state.
       $comment = $node->workflow_comment;
       $old_sid = workflow_node_current_state($node);
@@ -2134,7 +2149,7 @@
     // Make sure transition is still valid.
     if ($node->_workflow == $row->old_sid) {
       // Do transition.
-      workflow_execute_transition($node, $row->sid, $row->comment);
+      workflow_execute_transition($node, $row->sid, $row->comment, TRUE);
 
       watchdog('content', t('%type: scheduled transition of %title.', array('%type' => t($node->type), '%title' => $node->title)), WATCHDOG_NOTICE, l(t('view'), 'node/'. $node->nid));
       $clear_cache = TRUE;