The API list methods were not handling unscoped tokens correctly.
If the API is using the admin_or_owner-policy.yaml policy override file,
and a user used an unscoped token, the API will list objects for all
projects. This patch corrects that issue.
If you are using the default policies, the API handles unscoped tokens
correctly.
Change-Id: I88e64fd5e8a4c709f735be85b85139dbb52e4acd
(cherry picked from commit 9453701fb4)