Splitting this off from #1818104: Port the sandbox-to-full permissions to D7.

Now that we've got a bit of a UX WTF with all the project-related CRUD permissions, it'd be nice to add a requirement check such that if a role has any of the node.module CRUD permissions for a given project node type, we check to ensure that role also has some kind of appropriate corresponding project* sandbox vs. full CRUD permission.

Definitely not necessary before the d.o D7 launch, but I wanted to capture this for a follow-up clean up some day (perhaps after #1818168: Move all sandbox vs. full functionality into a separate project_promote module is done).