Unauthorized updates to extended_info properties in /store/ajaxpackagesave

Due to incorrectly-implemented access control, partners were able to set the "extended_info" value on their own packages. This in turn enabled other security-impacting issues such as the ability to create externally-grantable and other special package types.