[#881] acl: Use session token from request at object.Put

Session token can be present in both object header and
request meta header. They are the same during initial object
placement.

At the object replication, storage node puts object without
any session tokens attached to the request. If container's eACL
denies object.Put for USER role (use bearer to upload), then
replication might fail on objects with session tokens of the
signed by container owner. It is incorrect, so use session
token directly from request meta header.

Signed-off-by: Alex Vanin <alexey@nspcc.ru>

pkg/services/object/acl/acl.go

@@ -381,7 +381,7 @@ func (p putStreamBasicChecker) Send(request *object.PutRequest) error {
 			return err
 		}
 
-		sTok := part.GetHeader().GetSessionToken()
+		sTok := request.GetMetaHeader().GetSessionToken()
 
 		req := metaWithToken{
 			vheader: request.GetVerificationHeader(),