Need an 'unchanged' validator for object updates

[mark-saeon]

Currently we use the 'empty' validator to ensure that ids of referenced objects (usually foreign keys) are not changed when updating objects. However, when it comes to authorization - which is not yet implemented - in some cases we will need to include referenced object ids in the update input dict, e.g. for updating workflow annotations on a metadata record, we need the metadata record id (so that we can check that the user has permission for that record) but it must remain unchanged.