Add a new Inherited access control policy

[dylanmcreynolds]

Checklist

• Add a Changelog entry
• Add the ticket number which this PR closes to the comment section

The default TagAccessPolicy requires that every node in the tree be tagged with access_tags. I think this creates a lot of future maintenance. If I were to try and change access for container of, say, proposals, I would have to make sure to surgically change the access_tag of every node under the proposal container. I'd rather just change the proposal container.

We also use tiled for storing processed data. The current setup puts a lot of responsibility on applications writing to tiled to get know how to tag every node that it writes. Using inheritance eases this.

Introduces InheritedTagAccessPolicy, a new access policy that extends TagBasedAccessPolicy by walking the node hierarchy when a node has no access tags of its own. Instead of defaulting to no access, it looks up the nodes_closure table to find the nearest tagged ancestor and applies that ancestor's access control rules. It ends at the first ancestor node that has at least one tag and uses that.

Also adds AccessBlobInheritedFilter to support filtering nodes by inherited access, and includes tests covering inherited access scenarios.

[checkmarx-gh-ast-us-povs]

Checkmarx One – Scan Summary & Details – b6c866d4-ad42-4681-812d-a9db55f1e772

Great job! No new security vulnerabilities introduced in this pull request

---

Communicate with Checkmarx by submitting a PR comment with @Checkmarx followed by one of the supported commands. Learn about the supported commands here.