Plugin uses "assert" to check perms, which could go away with -O
|Reported by:||Joshua Kugler||Owned by:||Ryan J Ollos|
On line 55 of web_ui.py (current svn), it says:
According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement
Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket.