The access check on properties for an instance of a class

(e.g. .../user/1) was not correct. As a result the access rights on the
class not the access right to an instance of a class were checked.
This fixes the code so the instance rights are checked the same as
calling: .../user/1/roles would.

Author: rouilj

CHANGES.txt

@@ -49,6 +49,11 @@ Features:
    - allow user (e.g. in browser) to override response type/Accept
      header using extension in url. E.G. .../issues.json. This fixes
      the existing code so it works.
+   - fix SECURITY issue. Retrieving the item of a class
+     (e.g. /rest/data/user/2) would display properties the user wasn't
+     allowed to access. Note that unlike the web interface,  passwords
+     and roles for users are still retreivable if the user has access
+     rights to the properties.
   (John Rouillard)
 - issue2550833: the export_csv web action now returns labels/names
   rather than id's. Replace calls to export_csv with the export_csv_id

roundup/rest.py

@@ -494,7 +494,7 @@ def get_element(self, class_name, item_id, input):
                 for prop_name in props
                 if self.db.security.hasPermission(
                     'View', self.db.getuid(), class_name, prop_name,
-                )
+                        item_id )
             ]
         except KeyError as msg:
             raise UsageError("%s field not valid" % msg)