Data authorization issue for Update/Patch operation
When the Storage service sends data authorization requests for Update/Patch operation to the Policy service, only the new data record header info (ACLs and LegalTags) are sent to the Policy service and the existing data record header info are not included in the request. So the user will be able to update/patch a data record (based on the new ACLS/LegalTags) when the user should have no permission to update/patch (based on the existing record ACLS/LegalTags).
Edited by Dadong Zhou