Comment 2 for bug 1430645

I think we can call the authorize callback for the original DELETE request before handling the version case to ensure the request is authorized to DELETE objects in the source container.

Then call the authorize callback again for the fall-through DELETE to the x-versions-location object (which may fail independently if the user doesn't have write access to the target.