moo.core.tests.test_security_model_acl.test_access_delete_requires_grant

moo.core.tests.test_security_model_acl.test_access_delete_requires_grant(t_init, t_wizard)

Access.delete() previously had no permission check. Without it an attacker could delete ACL entries on objects they have no grant over. Access.delete() now calls can_caller(“grant”) on the entity the row belongs to.