Anonymous users can still access the site management section of Piwik even when they have been restricted with 'No Access'
Calling the URL's;
Will all display results with out authentication.
Other pages maybe affected, but these are the ones I know of.
The data exposed isn't critical but still poses a minor security issue.
The tracker code is public information.
The site manager page may be accessible, but it doesn't display any site information to which the anonymous user has 'no access'. I suppose we could restrict access to even this page.
The feedback module is for the public to submit feedback. If you read the plugin description from the plugin admin screen, it reads:
Send your Feedback to the Piwik Team in one click. Share your ideas and suggestions with us! By Piwik.
You're welcome to deactivate this plugin.
Oops. Given ticket #554, we won't be blocking access to the site manager page.