Consistently enforce stage permissions in GraphQL

[chillu]

The ApplyVersionFilters (v3) and VersionFilters (v3) classes don't directly enforce stage permissions. You need to also have the canview plugin in place, then permissions are enforced as expected because Versioned->canViewVersioned() hooks into DataObject->canView() and takes the stage context into account on the object. But it'll return you an empty list without an error message, which is pretty confusing.

If that's the desired behaviour, we should make it very clear that enforcing stage security relies on a combo with another plugin. This would also be inconsistent with ReadVersions and VersionedResolver, both of which use canViewStage() directly without relying on another plugin.

If we want to throw a (clearer) error message instead, I had this check in place in applyList():

if (!in_array($mode, [Versioned::LIVE])) {
    if (!singleton($list->dataClass())->canViewVersioned()) {
        throw new \LogicException(sprintf('User is not allowed to use mode "%s"', $mode));
    }
}

Note that canViewVersioned() has the following docs which indicate this isn't correct usage:

This is expected to be called by canView, and thus is only responsible for denying access if
the default canView would otherwise ALLOW access. Thus it should not be called in isolation
as an authoritative permission check.

We can't provide a specific error message by checking canView() though, and canViewStage() isn't granular enough (some users can view drafts but not archive mode).