Redmine

It seems that the access control on wikis does not get respected on public projects. An anonymous user can always view wiki pages if the project is marked public, even if anonymous members have not been granted access to the wikis. This worked correctly in 0.6.4, which we were using previously. We are currently using Redmine 0.7.1.1438 (MySQL).

Steps to reproduce:

1. Make a new project. It must be public and have the wiki module.
2. Add start page for the wiki and add some text to the wiki start page
3. Make sure the permissions for anonymous does not include "View wiki pages"
4. Sign out.
5. Go to the 'Projects' page and click on the project that was created. The wiki tab is visible and the anonymous user can read the contents that were entered previously.

Please note that you may also see tabs for "Issues" and "News" (if you enabled those modules), which should show up, as there's not a permission to deny viewing.