Write permissions are not enforced on the file upload endpoint

I don't know how much of an issue this actually is. But I can't see any permission enforcement on the file upload endpoint. We only check that a valid token exists and the user can see the artifact being uploaded to.

Now, there probably isn't any real security risk here, because the file sizes and hashes have already been provided in the (properly-authenticated) artifact creation endpoint. The file upload itself is checked against these.

But, there's obviously room for improvement, here.