M18 - Data authorization issue for Update/Patch operation

This is related to the issue reported in Storage repo: osdu/platform/system/storage#174 (closed).

Added tests in the pre-shipping policy service postman collection. We are having the following issues:

(1) For Storage Update api and the old Patch api (updateRecordsMetadata api): When the Storage service sends data authorization requests for Update/Patch operation to the Policy service, only the new data record header info (ACLs and LegalTags) are sent to the Policy service and the existing data record header info are not included in the request. So the user will be able to update/patch a data record (based on the new ACLS/LegalTags) when the user should have no permission to update/patch (based on the existing record ACLS/LegalTags).

(2) For the new Patch api (patchRecords api introduced in M17): the behavior is opposite to (1). When the Storage service sends data authorization requests for the new Patch operation to the Policy service, only the existing data record header info (ACLs and LegalTags) are sent to the Policy service and the new data record header info are not included in the request. So the user will be able to patch a data record (based on the existing ACLS/LegalTags) with the new ACLs/LegalTags which the user should have no permission to use.