[WX-1764] Fix improper authorization for POST list method permissions

[salonishah11]

Jira: https://broadworkbench.atlassian.net/browse/WX-1764

Changes to POST /api/v1/methods/permissions API response:

• removes extra information that is included in response that should not be returned for unauthorized access or entity that doesn't exist
• entity information that was already present in request is still returned for unauthorized access as not to break existing expectations and with the intention to have minimal changes

Note: I decided not to change anything for PUT API for upsert permissions because it seems the response for this API even for unauthorized access only returns information that was already present in the request. This shouldn't be a problem and was confirmed with AppSec (see this comment). I had initially tried to change the response to return empty entity and acls in response for unauthorized user but reverted that change as I am not sure how and where this API is used and didn't want to break any existing expectations. And since it is fine from security perspective there is no need to change it currently.

Request body for POST /api/v1/methods/permissions

[
  {
    "namespace": "example-namespace",
    "name": "example-name",
    "snapshotId": 1
  }
]

Response for POST /api/v1/methods/permissions
BEFORE

[
  {
    "acls": [],
    "entity": {
      "managers": [
        "groot@gmail.com",
        "rocket.raccoon@gmail.com",
      ],
      "name": "example-name",
      "public": true,
      "snapshotId": 1,
      "namespace": "example-namespace"
    },
    "message": "Authorization exception for user abc@gmail.com attempting to exercise permission Manage on entity example-namespace.example-name.1."
  }
]

AFTER

[
  {
    "acls": [],
    "entity": {
      "namespace": "example-namespace",
      "name": "example-name",
      "snapshotId": 1
    },
    "message": "Authorization exception for user abc@gmail.com attempting to exercise permission Manage on entity example-namespace.example-name.1."
  }
]

• Submitter: Include the JIRA issue number in the PR description
• Submitter: Make sure Swagger is updated if API changes
• Submitter: If updating admin endpoints, also update firecloud-admin-cli
• Submitter: Check documentation and code comments. Add explanatory PR comments if helpful.
• Submitter: JIRA ticket checks:
  • Acceptance criteria exists and is met
  • Note any changes to implementation from the description
  • To Demo flag is set
  • Release Summary is filled out, if applicable
  • Add notes on how to QA
• Submitter: Update RC_XXX release ticket with any config or environment changes necessary
• Submitter: Update FISMA documentation if changes to:
  • Authentication
  • Authorization
  • Encryption
  • Audit trails
• Submitter: If you're adding new libraries, sign us up to security updates for them
• Tell the tech lead (TL) that the PR exists if they wants to look at it
• Anoint a lead reviewer (LR). Assign PR to LR

• Review cycle:
  • LR reviews
  • Rest of team may comment on PR at will
  • LR assigns to submitter for feedback fixes
  • Submitter rebases to develop again if necessary
  • Submitter makes further commits. DO NOT SQUASH
  • Submitter updates documentation as needed
  • Submitter reassigns to LR for further feedback

• TL sign off
• LR sign off
• Product Owner sign off
• Assign to submitter to finalize
• Submitter: Verify all tests go green, including CI tests
• Submitter: Squash commits and merge to develop
• Submitter: Delete branch after merge
• Submitter: Test this change works on dev environment after deployment. YOU own getting it fixed if dev isn't working for ANY reason!
• Submitter: Verify swagger UI on dev environment still works after deployment
• Submitter: Inform other teams of any API changes via Slack and/or email
• Submitter: Mark JIRA issue as resolved once this checklist is completed