On 2012-04-06 10:02, Wichert Akkerman wrote: > The dependency graph view of a ticket does not do any permission > checks. This is a security problem on private trac sites since it > creates a channel through which sensitive information about tickets > (existence, dependencies and ticket titles) is revealed.
Sorry for the delayed answer. I didn't get/see any email about this bug and only accidently saw it today. I tested the one-line patch on github and it helped at least for the case when anonymous users don't have TICKET_VIEW permission. I will upload a new package with this patch. Better patches welcome, esp. for using trac-mastertickets with trac-privatetickets, trac-sensitivetickets, or trac-virtualticketpermissions. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
