Patched minor security hole; don't show summary of bugs that the user

showdependencygraph.cgi

@@ -47,6 +47,8 @@ PutHeader("Dependency graph", "Dependency graph", $id);
 
 if (defined $id) {
     ConnectToDatabase();
+    quietly_check_login();
+    $::usergroupset = $::usergroupset; # More warning suppression silliness.
 
     mkdir("data/webdot", 0777);
 
@@ -99,8 +101,10 @@ node [URL="${urlbase}show_bug.cgi?id=\\N", style=filled, color=lightgrey]
         my $summary = "";
         my $stat;
         if ($::FORM{'showsummary'}) {
-            SendSQL("select bug_status, short_desc from bugs where bug_id = $k");
+            SendSQL("select bug_status, short_desc from bugs where bug_id = $k and bugs.groupset & $::usergroupset = bugs.groupset");
             ($stat, $summary) = (FetchSQLData());
+            $stat = "NEW" if !defined $stat;
+            $summary = "" if !defined $summary;
         } else {
             SendSQL("select bug_status from bugs where bug_id = $k");
             $stat = FetchOneColumn();

showdependencytree.cgi

@@ -37,6 +37,10 @@ PutHeader("Dependency tree", "Dependency tree", "Bug $linkedid");
 
 ConnectToDatabase();
 
+quietly_check_login();
+
+$::usergroupset = $::usergroupset; # More warning suppression silliness.
+
 my %seen;
 
 sub DumpKids {
@@ -53,8 +57,10 @@ sub DumpKids {
     if (@list) {
         print "<ul>\n";
         foreach my $kid (@list) {
-            SendSQL("select bug_status, short_desc from bugs where bug_id = $kid");
+            SendSQL("select bug_status, short_desc from bugs where bug_id = $kid and bugs.groupset & $::usergroupset = bugs.groupset");
             my ($stat, $short_desc) = (FetchSQLData());
+            $stat = "NEW" if !defined $stat;
+            $short_desc = "" if !defined $short_desc;
             my $opened = ($stat eq "NEW" || $stat eq "ASSIGNED" ||
                           $stat eq "REOPENED");
             print "<li>";