Hi Ralf,

A thought occurred to me. Permissions are some of the most complex things in Roundup.
I have spent a fair amount of time debugging them with people.

Am I correct that you implemented a new pathway pushing some permissions checks
down to the database level and still have the older python only filtering (for dbm)
intact?

Would it be possible to turn off the SQL permission checks using a parameter?

Maybe something in interfaces.py as it should be used for debugging only.
My concern is that the SQL checks may return a different result for some set of
permissions. We don't have very complex sets of permissions in the test suite.
But even if we add some more complex tests and data, it will still be far from
what is in the wild.

I would like a way in the field to be able to compare the original filtering
against the new filtering. This is similar to how we had a flag to enable/disable
the wsgi performance improvement in 2.2. 

In this case, SQL filtering will be turned on by default, but can be turned off
by importing/setting a flag. Turning it off would return to the original python only
filter. This way the user can do the same query with or without SQL permission checks
to see if there is an issue.

I really need to make roundup-admin work correctly with the -u parameter (issue2551246).
This will allow a search from the CLI under a user's permission set. This would also
make it easier for admins to test their permissions.

Thoughts?