ACL filtering applied via HQL/SQL do not account for entries inheritance

[arteymix]

Entities that can inherit ACEs are not properly treated by the generated HQL/SQL.

The challenging part is they may require an arbitrary number of jointures to traverse the ancestry, though in practice we only ever need to look at one or two parents.

The best example is a DEA performed on a subset: the analysis has the subset as a parent which in turn has a complete EE as parent. The ACEs are stored in the EE, requiring two level of indirection to get the appropriate permissions.

• warn or produce an error when an entity that is retrieved inherits its entries

[arteymix]

I'll mark this as low priority because it does not impact AD and EE filtering (except for subsets).

[arteymix]

This is fixed in two ways: first we don't allow SecuredChild to be subject to ACL filtering anymore (see 3d7ac36) and second we do not assign ACEs on children and will add a linter for this in #997.