id summary reporter owner description type status priority component severity resolution keywords cc release 6771 "Plugin uses ""assert"" to check perms, which could go away with -O" Joshua Kugler Ryan J Ollos "On line 55 of web_ui.py (current svn), it says: {{{ assert req.perm.has_permission('TICKET_ADMIN') }}} According to the Python docs, if a module is compiled with -O (or -OO), assert statements are discarded. See http://docs.python.org/reference/simple_stmts.html#the-assert-statement Thus, if TicketChangePlugin is compiled with -O, there will be no permissions check in process_request(). While the buttons will not be displayed unless the TICKET_ADMIN permission exists, someone could do a direct post to the URL for editing the ticket." defect closed highest TicketChangePlugin critical fixed 0.11