Redmine

I have several users set up to only be able to access ONE project's Issues, News, and Messages.

Logged in as one of those users, I do an arbitrary search.

From that SEARCH RESULTS page, if you change the pop up to ALL PROJECTS, and immediately re-submit the same search, the checkboxes for other types of searches suddenly appear (documents, changesets, wiki pages, projects).

If you then checkmark all of those boxes, you can do a search that will match commit messages in projects the user shouldn't have access to. You get a permission denied error if you actually try to click through to one, but the full commit message is shown in the search results anyway.

I'm not sure which version of Redmine I have, but I just updated it from Subversion (r1648)