--- a/Allura/allura/lib/security.py
+++ b/Allura/allura/lib/security.py
@@ -71,7 +71,7 @@
     if project is None: project = c.project
     # Direct roles
     result = set(project.acl.get(access_type, []))
-    roles = M.ProjectRole.query.find().all()
+    roles = M.ProjectRole.query.find(project_id=project._id).all()
     # Compute roles who can reach the direct roles
     found = True
     while found: