I’ve got several Trac systems in use for various reasons.  However assigning tickets to a user is wide open by default.  That list can be restricted to users that have logged in and supplied their email address by changing [ticket] restrict_owner in trac.in to true.

Users that are in that Trac’s database and have the TICKET_MODIFY privilege will show up in the list.

See the Trac Tickets wiki for more.