auth: properly invoke PermFunctions (CVE-2016-3114) This fixes a vulnerability that allowed logged-in users to edit or delete open pull requests associated with any repository to which they had read access, plus a related vulnerability allowing logged-in users to delete any comment from any repository, provided they could determine the comment ID and had read access to just one repository.

# requirements.txt file for use as "pip install -r requirements.txt" as a
# readthedocs compatible alternative to "pip install -e ." which is a working
# alternative to "setup.py develop" which doesn't work with Mercurial 3.7
.