Wrong logic in module_grants_node_access() opens door to anonymous visitors viewing unpublished nodes re-attributed to them

The following is the piece of code from module_grants_node_access() that allows view access to unpublished nodes. The problem is that if node's author is set to uid 0, all anonymous users will be allowed to see the node when unpublished.

  if ($node_op == 'view' && !$node->status) {
    $may_view = module_invoke('revisioning', 'user_node_access', 'view revisions', $node)
      || user_access('view revisions');
    if (!$may_view) {
      if ($account->uid != $node->uid) {
        // Not the author: no permission to view this unpublished content.
        return $access["$uid:$nid:$node_op"] = FALSE;
      }
    }
  }

Easy fix, just return FALSE too if uid = 0:

    if (!$may_view) {
      if (!$account->uid || $account->uid != $node->uid) {
        // Not the author: no permission to view this unpublished content.
        return $access["$uid:$nid:$node_op"] = FALSE;
      }

How to reproduce:

• Create a node where access is granted through Module Grants (eg. Revisioning-enabled)
• Publish the node: anonymous user can see it
• Unpublish the node: access denied for anonymous users
• Edit the node and remove the author to set it to Anonymous
• Save the changes (and make sure the node is still unpublished)
• Check with anonymous user: access granted while the node is unpublished