if blackHoleCallback is set, requests _must_ get blackholed

lib/Cake/Controller/Component/SecurityComponent.php

@@ -590,7 +590,7 @@ class SecurityComponent extends Component {
 		if (is_callable(array($controller, $method))) {
 			return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
 		} else {
-			return null;
+			throw new BadRequestException(__d('cake_dev', 'The request has been black-holed'));
 		}
 	}
 

lib/Cake/Test/Case/Controller/Component/SecurityComponentTest.php

@@ -107,6 +107,20 @@ class SecurityTestController extends Controller {
 
 }
 
+class BrokenCallbackController extends Controller {
+
+	public $name = 'UncallableCallback';
+
+	public $components = array('Session', 'TestSecurity');
+
+	public function index() {
+	}
+
+	protected function _fail() {
+	}
+
+}
+
 /**
  * SecurityComponentTest class
  *
@@ -161,6 +175,25 @@ class SecurityComponentTest extends CakeTestCase {
 		unset($this->Controller);
 	}
 
+/**
+ * Test that requests are still blackholed when controller has incorrect
+ * visibility keyword in the blackhole callback
+ *
+ * @expectedException BadRequestException
+ */
+	public function testBlackholeWithBrokenCallback() {
+		$request = new CakeRequest('posts/index', false);
+		$request->addParams(array(
+			'controller' => 'posts', 'action' => 'index')
+		);
+		$this->Controller = new BrokenCallbackController($request);
+		$this->Controller->Components->init($this->Controller);
+		$this->Controller->Security = $this->Controller->TestSecurity;
+		$this->Controller->Security->blackHoleCallback = '_fail';
+		$this->Controller->Security->startup($this->Controller);
+		$this->Controller->Security->blackHole($this->Controller, 'csrf');
+	}
+
 /**
  * test that initialize can set properties.
  *