Fix/issue pointer permissions (#4141)

* Makes sure we don't override roles

* Reduces the query size whith pointer permissions

- Does not return as $and if not needed
- Returns just the query with the additional constraint

* Do not use $in if include is just of length 1

src/Controllers/DatabaseController.js

@@ -941,7 +941,14 @@ DatabaseController.prototype.addPointerPermissions = function(schema, className,
       const q = {
         [key]: userPointer
       };
-      return {'$and': [q, query]};
+      // if we already have a constraint on the key, use the $and
+      if (query.hasOwnProperty(key)) {
+        return {'$and': [q, query]};
+      }
+      // otherwise just add the constaint
+      return Object.assign({}, query, {
+        [`${key}`]: userPointer,
+      })
     });
     if (ors.length > 1) {
       return {'$or': ors};

src/RestQuery.js

@@ -635,7 +635,13 @@ function includePath(config, auth, response, path, restOptions = {}) {
   }
 
   const queryPromises = Object.keys(pointersHash).map((className) => {
-    const where = {'objectId': {'$in': Array.from(pointersHash[className])}};
+    const objectIds = Array.from(pointersHash[className]);
+    let where;
+    if (objectIds.length === 1) {
+      where = {'objectId': objectIds[0]};
+    } else {
+      where = {'objectId': {'$in': objectIds}};
+    }
     var query = new RestQuery(config, auth, className, where, includeRestOptions);
     return query.execute({op: 'get'}).then((results) => {
       results.className = className;

src/RestWrite.js

@@ -102,8 +102,7 @@ RestWrite.prototype.getUserAndRoleACL = function() {
 
   if (this.auth.user) {
     return this.auth.getUserRoles().then((roles) => {
-      roles.push(this.auth.user.id);
-      this.runOptions.acl = this.runOptions.acl.concat(roles);
+      this.runOptions.acl = this.runOptions.acl.concat(roles, [this.auth.user.id]);
       return;
     });
   } else {