Global Dashboard currently displays widgets that display product data, but do not check product specific permissions. If user has TICKET_VIEW permission in global context, he can see unfiltered lists of products and product tickets.
The following steps can be used to reproduce the problems:
Create two products with some tickets (DEMO and MNP). Grant anonymous *_VIEW on global, but no product specific permissions.
With this setup, anonymous can access global Dashboard, where it sees
all the tickets and all the products. He cannot access product
specific dashboards (no PRODUCT_VIEW permission). Links to
products/tickets in the global dashboard also redirect to login.
If anonymous is grantet additional PRODUCT_VIEW permission for both products, he can access the dashboards, but ticket and timeline widgets crash (no TICKET_VIEW permissions).
trac:TracFineGrainedPermissions should also be included in permission check.
Warning No events reported for defect: Apply permission checks to default Dashboard widgets (new) in the last 30 days since Mar 30, 2017. This may happen if system is not configured correctly. Please contact your administrator if you think this is the case.