I want that users can only issues they have created.
So, in schema.py, I have those settings :

def own_issue(db, userid, nodeid):
    return userid == db.issue.get(nodeid, 'creator')
p = db.security.addPermission(name='Edit',
klass='issue', check=own_issue,
    description="User is allowed to edit an issue if it
is the creator")
db.security.addPermissionToRole('User', p) 

It works well with web interface, but with mailgw, it
doesn't work : user can edit any issue they want.

in MailGW.handlemessage in mailgw.py line 853-854,
there is :

if nodeid:
            if not
self.db.security.hasPermission('Edit', author, classname):

so it calls Security.hasPermission in security.py, and
on line 182 :

if perm.test(self.db, permission, classname, property,
                        userid, itemid):

it calls Permission.test, and on line 49 :
# check code
if itemid is not None and self.check is not None:
   if not self.check(db, userid, itemid):
          return 0

# we have a winner
return 1

as itemid is None, it will return 1, and user will be
able to edit issue.

If in MailGW.handlemessage, you pass nodeid as argument 

if nodeid:
            if not
self.db.security.hasPermission('Edit', author,
classname, itemid=nodeid):

Permission.test returns 0, and user cannot edit issue
anymore.