Provide a permission to access webforms through GraphQL only

Problem/Motivation

The Webform module requires the "access webform configuration" permission to be granted for API usage. This is for a good reason: we are exposing the internals of the webform configuration, which comes with a risk of disclosing private information (such as administrative email adresses, API keys etc). For more info see #2956771: Sensitive information is disclosed via REST/jsonapi → .

Now, since our goal is to expose Webform elements and we are not actively exposing risky Webform settings like the email handlers, in our domain the risk is limited. But in projects that are using both GraphQL and another REST API (like JSON:API) setting this permission risks to disclose the internals through the REST APIs.

We can solve this by providing a dedicated permission to expose webform configuration through GraphQL only.

Proposed resolution

Add the following permissions:

1. access any webform configuration through graphql
2. access own webform configuration through graphql
3. access %webform_id webform configuration through graphql

One way is to implement this in a dedicated data producer. We are now using the EntityLoad data producer but this emits a normal $entity->access() check which does not pass on information whether or not we are inside of a GraphQL query. We can let the normal access check run its course, and then (if it does not forbid access) we can check our permissions.

Alternatively we can take the same approach as WebformEntityAccessControlHandler::checkAccess() and inspect the request to see if the request format and path are matching a GraphQL request. This can be done in hook_webform_access() probably.