Lock published/public entities from update

[shirey]

On entity PUT calls if:
Publication.status == 'Published' or
Dataset.status == 'Published' or
Donor.data_access_level == 'public' or
Sample.data_access_level == 'public' or
Collection.doi_url is not (null or empty) or
Collection.registered_doi is not (null or empty) or
EPICollection.doi_url is not (null or empty) or
EPICollection.registered_doi is not (null or empty)

Reject the update with a 403 with the message "Permission denied on changing a published/public entity".

If an additional header of "X-HuBMAP-Update-Override: Override-Key <new secret override key specified in config file>" is found and the secret key matches the configured value, allow overwriting.

[kburke]

#830

@yuanzhou I haven't set you to review any of the PRs I created during your vacation, but we should carefully look this one over together.

• Confirm a few questions marked with KBKB comments
• Confirm the overall introduction of having more than one entity-level validator
• Confirm prior work which prevents modification of "public" entities can stay in place, even though it might not be reached now that a "before" validator has been introduced i.e. lines like this for Collection.
• I don't like how arguments are passed to entity validators, and I'd like to get your thoughts.