Dependency graph bypasses all ticket security

mitar has posted a patch. Closing ticket on GitHub as a duplicate.

diff -ur coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py coderanger-trac-mastertickets-perms/mastertickets/web_ui.py
--- coderanger-trac-mastertickets-42b59b4/mastertickets/web_ui.py       2011-01-29 13:52:34.000000000 +0100
+++ coderanger-trac-mastertickets-perms/mastertickets/web_ui.py 2011-04-18 16:23:46.184010835 +0200
@@ -131,6 +131,7 @@
         return req.path_info.startswith('/depgraph')

     def process_request(self, req):
+       req.perm.require('TICKET_VIEW')
         path_info = req.path_info[10:]

         if not path_info:

Ha. Nice one. I completely missed this one. :-)

Hm, the links above are bad. I am not sure if this was my patch. I am also not sure if it addresses the thing correctly? It still just limits based on access to current ticket, not to dependencies. If I have access to current ticket but not to the dependency, I can still see the dependency in the graph, no?

The GitHub repository is private now and development has been moved back to trac-hacks. It looks like the patch wasn't posted by you though, it was posted by tinus-github.

I think you are right, we need to check permissions of each dependency before deciding whether to include it in the graph (or at least, whether to include any information about it, such as the summary).