Real relational role/group support


Trac's data model subsumes groups into permissions within an implicit distinction through case. This makes finding permissions are groups unnecessarily complicated and error prone.

I use the term roles for clarity as group is a key word in SQL and subsequently in a lot of code.

There is a RelationalPermissionsStore and a RelationalGroupsProvider in and PermissionCache has been extended to support req.perm.roles

My patch implements tables for user_role, roles and role_role:

CREATE TABLE user_role (username TEXT, role TEXT, UNIQUE (username, role));
CREATE TABLE role (name TEXT, description TEXT, UNIQUE (name));
CREATE TABLE role_role (role TEXT, parent TEXT, UNIQUE (role, parent));

Patches have been applied to:

  • ticket/
  • ticket/
  • ticket/, and
  • ticket/

The file supports the $ROLES keyword but expects parameters to be passed in to the cursor rather than quote the statement, ie. sql_sub_vars has become obsolete. This is similar to the way in which and work and it would make sense to harmonise this.

The file requires explicit support for roles in the various reports. The others are restricted by default by the JOIN on user_role so that only members of the same group can see each other's tickets.

Users belong to at least one of the following groups: authenticated, beta or developer and these groups can be hierarchical. Users can only see reports or tickets that have been submitted by a member of the group to which they belong:

  • if you belong to 'authenticated' you can only see tickets submitted by members of that group
  • if you belong to 'beta' you can see 'beta' and 'authenticated' but not 'developer' tickets
  • if you belong to 'developer' you can see all tickets.

This makes more sense than declaring particular tickets private which take more work to implement. I have adapted all scripts responsible for displaying tickets. If you want to restrict access to tickets you do this by the way members belong to groups.

Bugs/Feature Requests

Existing bugs and feature requests for RelationalRoleSupportPatch are here.

If you have any issues, create a new ticket.


1 / 1


RelationalRoleSupportPatch for 0.9.


You can check out the source for RelationalRoleSupportPatch from Subversion at


req.perm.roles returns a list of permission

Pass this into queries as tuple so and use WHERE role in %s to execute.


Author: charliex?
Maintainer: charliex?

Last modified 13 months ago Last modified on Jul 30, 2015, 11:40:36 AM