notifications: untangle notification access check This removes a broken permission check when viewing notifications (the HasRepoPermissionAny object was created, but never actually called with a repo_name argument as required). It would be non-trivial to actually implement the check, as notifications don't track their repository relationship explicitly, and even then, it's unclear why it would make sense to allow a repository admin to see notifications to other users. It was never a vulnerability, due to a subsequent (and much stricter) ownership check, which remains but has been untangled for readability. In short, this changeset is a pure refactoring, except that specifying a non-existent notification ID will now produce error 404, not 403.

# requirements.txt file for use as "pip install -r requirements.txt" as a
# readthedocs compatible alternative to "pip install -e ." which is a working
# alternative to "setup.py develop" which doesn't work with Mercurial 3.7
.