Fix data for permission check in EventXhr
What does this MR do?
Enables it to foodsavers (non Event admins) to apply or reject to an event.
How confident are you it won't break things if deployed?
- added a test, or explain why one is not needed/possible... (hotfix for production. No time for testing this. Works on localhost)
- no unrelated changes
- asked someone for a code review
- joined #foodsharing-beta channel at https://slackin.yunity.org
- added an entry to CHANGELOG.md (description, merge request link, username(s))