Add no-access table-level and schema-level permission (#46542)

* allow `:blocked` to be saved for table level perms

* Adds 2 tests for table level blocked permission settings

- N.B. these are NOT ENFORCED YET

* update test that asserted we cannot set block on tables (we can)

* WIP: Pairing on making perms checking less wild

* cleanup, update docs, and add a test for view-data perm only

- Added a test where we have data permissions, but not create query, and
  I think it is failing when we have create query and blocked data
  permissions.
- renamed some functions from check-x -> has-x? since they return a
  value instead of throwing now

* Revert "WIP: Pairing on making perms checking less wild"

Keep the same behavior, but stick with the saner flow control

This reverts commit 63bcb5b4.

* update docs

* update test to be passing

- TODO: make sure it's correct w.r.t. perm settings

* Allow schema level blocked setting in permgraph

* remove invalid test cases

- continue to have a forcing function to test newly added perms

* conform function output

* ensure a single blocked table blocks native queries to its DB

* update error message

- we now catch this error in `metabase.models.query.permissions/has-perm-for-query?`

* we now check for data permissions to process query for card

* add more explanation to what we are testing

- to help see why it fails on CI and passes locally

* remove excess `def`

* Add test for table-level data X collection perms

- update test found to be in-error

* update param values qp permission check style

* set view-data and create-query explicitly

* set viewdata and createquery explicitly in qp test

* Respond to review comments (which fixes a case)

* setting a table to blocked: leave other tables the same

* [Permissions] Add "No access" schema/table permission (#46509)

* first pass

* refactors downgrading native permission logic and updates calculation so that "No access" downgrades native permissions to "No"

* stub for permissions help info on table block

* modal changes wip, updates downgrading create queries permissions to all happen at a single call site

* clean up, sandboxing modal copy changes, removes rekoke/limit access modal changes to make the diff smaller and move code to a seperate PR

* updates permissions help section to contain the final copy

* sandboxing copy fix and remove modal that was dropped from requirements

* adds blocked at the schema level, updates no access copy to blocked, updates permissions help section to contain new blocked and schema level changes

* fixes failed unit and e2e tests after sandboxing copy changes

* improve the block e2e test to include table blocking

* fixes failing blocked test, fixes other schemas create queries permissions getting correct with one schema was droped to blocked view data access, fixes a bug that prevents the save bar from going away when all permissions for group are set to the default values

* clean up

* remove color changes

* prevents parent being set to blocked preventing edits for children entities

* add new hasPermissionValueInSubgraph fn, adds modal to warn users we have to upgrade the view data permissions when they upgrade create queries permissions when a child entity is set to blocked

* adds test coverage for new modal

* removes unused function, adds new updateEntityPermission fn to help consolidate some logic elsewhere

* unit test fix and type fix

* most pr feedback

* updates the confirmation modal copy when changing a parent entity that contains a child with blocked permissions and/or sandboxed children, adds test coverage for that, adds test coverage for permission view data column not appearing in oss

* type fix

* [Permissions] Add e2e test coverage for blocked permissions enforcements (#46663)

* adds test coverage for enforcement of blocked permissions

* moves tests around based on pr feedback

* copy changes

* adds fix to make sure that blocked permissions are not removed from sibling tables that have the create queries permissions upgraded (#46854)

* Fix table name lookup for dbs w/ 1 schema per db

* add test for blank schema identifiers

* Refine sandboxed user perms for query builder access (#46939)

* Refine sandboxed user perms for query builder access

- Limit create-queries permissions to unblocked tables only
- Check user permissions for each table before granting query builder access
- Prevent querying of blocked joined tables from query builder for sandboxed users

* Adjust permissions for sandboxed users

- Grant view-data permissions only for unblocked tables
- Revert create-queries permissions to all tables in sandbox
- Remove unnecessary intermediate variable

* when sandboxing we no longer grant unrestricted view perms for blocked tables

* Update enterprise/backend/src/metabase_enterprise/sandbox/query_processor/middleware/row_level_restrictions.clj

remove blank line

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

* - make coalesce-test exhaustive (except for sandbox)

* Update enterprise/backend/src/metabase_enterprise/sandbox/query_processor/middleware/row_level_restrictions.clj

Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>

* t2/select ... -> database/table-id->database-id

* update comment

* [Permissions] Prevent "Granular" option in DB View Data options from changing permissions to unrestricted (#46976)

* fix

* adds back most of the code and limits it to only happen with impersonations, updates test to handle differing logic between the two flows

* removes test that is not longer needed

* more sandbox join table perms tests

---------

Co-authored-by: John Swanson <john.swanson@metabase.com>
Co-authored-by: Sloan Sparger <sloansparger@users.noreply.github.com>
Co-authored-by: Sloan Sparger <sloansparger@gmail.com>
Co-authored-by: Noah Moss <32746338+noahmoss@users.noreply.github.com>