auth: properly invoke PermFunctions (CVE-2016-3114) This fixes a vulnerability that allowed logged-in users to edit or delete open pull requests associated with any repository to which they had read access, plus a related vulnerability allowing logged-in users to delete any comment from any repository, provided they could determine the comment ID and had read access to just one repository.

[tox]
minversion = 1.8
envlist = py{26,27}-{pytest,nose}

[testenv]
setenv =
    PYTHONHASHSEED = 0
deps =
    nose: nose
    pytest: pytest
commands =
    nose: nosetests {posargs}
    pytest: py.test {posargs}