0aadad53fd
In ReviewDb, CCs and reviewers with no votes were stored by using a PatchSetApproval with value 0. In NoteDb, this changed and in the aforementioned cases we would not perform a proper permission check which enabled any registered user to remove reviewers. This commit fixes the vulnerability and adds tests. Change-Id: Ib173ca4af902602af345fc1367331beb325d275c