Property permissions are not checked at all by the current implementation of the xmlrpc server.
This enables users to edit/view properties they are not allowed to according to security settings.
The following exported methods are affected: `list`, `display`, and `set`.

The attached patch fixes these methods by passing the properties that are set/viewed to `security.hasPermission`. 
I was unable to come up with a unittest for this because the xmlrpc testcase uses on test/db_test_base, which simply copies the classic template - and its schema doesn't have any property-specific permissions that could be used for that.

The attached patch also fixes the bugs that I've reported but that haven't beed addressed so far:
[ 1893931 ] xmlrpc: commit & close database
[ 1893839 ] test_xmlrpc: use all available backends

Please review and merge.