From: https://hackernoon.com/10-common-security-gotchas-in-python-and-
how-to-avoid-them-e19fbe265e03

I took a quick look. Most of them are obvious debugging only
changes, but I didn't analyze all of them.

==
3. Assert statements

Don’t use assert statements to guard against pieces of code that a user 
shouldn’t access. Take this simple example

def foo(request, user):
   assert user.is_admin, “user does not have access”
   # secure code...

Now, by default Python executes with __debug__ as true, but in a 
production environment it’s common to run with optimizations. This will 
skip the assert statement and go straight to the secure code regardless 
of whether the user is_admin or not.

Fix:

Only use assert statements to communicate with other developers, such 
as in unit tests or in to guard against incorrect API usage.
==

Ran bandit against roundup code. It flagged a lot of asserts mostly in 
the TAL library, but some others are scattered throughout including 
backend code.

I removed an unneeded assert in cgi/actions.py and converted
an assert to raising an exception in admin.py.

changeset:   8294:302c797756e6
tag:         tip
user:        John Rouillard <rouilj@ieee.org>
date:        Sun Jan 19 19:29:17 2025 -0500
files:       roundup/security.py
description:
fix: issue2550962. remove assert in Role::hasPermission

issue2550962 - Check uses of assert in roundup code.

An assert was used to make sure that a classname always accompoanied
an itemid in hasPermission. The Security::hasPErmission has an if
clause that does the same check and raises a ValueError.