Fix/issue pointer permissions (#4141)

* Makes sure we don't override roles

* Reduces the query size whith pointer permissions

- Does not return as $and if not needed
- Returns just the query with the additional constraint

* Do not use $in if include is just of length 1

src/RestWrite.js

@@ -102,8 +102,7 @@ RestWrite.prototype.getUserAndRoleACL = function() {
 
   if (this.auth.user) {
     return this.auth.getUserRoles().then((roles) => {
-      roles.push(this.auth.user.id);
-      this.runOptions.acl = this.runOptions.acl.concat(roles);
+      this.runOptions.acl = this.runOptions.acl.concat(roles, [this.auth.user.id]);
       return;
     });
   } else {