From 124b39959f52153ff9dd952bace0fa4e04944c56 Mon Sep 17 00:00:00 2001
From: Jordan Dukart <jordan@discoverygarden.ca>
Date: Thu, 8 Mar 2018 14:41:06 -0400
Subject: [PATCH] Ensure object/ds are accessible before verifying token.
 (#701)

---
 islandora.module | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/islandora.module b/islandora.module
index 924c8d84..3349902c 100644
--- a/islandora.module
+++ b/islandora.module
@@ -881,13 +881,17 @@ function islandora_object_access_callback($perm, $object = NULL) {
 function islandora_object_datastream_tokened_access_callback($perm, $object = NULL, $datastream = NULL) {
   module_load_include('inc', 'islandora', 'includes/utilities');
 
+  // Token validation requires a valid object and PID in order to make a
+  // potential match in the db.
   $token_account = NULL;
-  $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
+  if (is_object($object) && is_object($datastream)) {
+    $token = filter_input(INPUT_GET, 'token', FILTER_SANITIZE_STRING);
 
-  if ($token) {
-    $user = islandora_validate_object_token($object->id, $datastream->id, $token);
-    if ($user) {
-      $token_account = user_load($user->uid);
+    if ($token) {
+      $user = islandora_validate_object_token($object->id, $datastream->id, $token);
+      if ($user) {
+        $token_account = user_load($user->uid);
+      }
     }
   }