The cache did not distinguish between cached credentials for read and write
access. As it does not check permissions again if there is a cache hit, users
with authorization for either reading or writing could poison the cache and
subsequently authorize themselves for both access types.
Original fix is by Jean-Philippe Lang, http://www.redmine.org/issues/9567