fix(preprod): Pre-filter latest base snapshot query by project access

[NicoHinderling]

Move project access control in the latest-base-snapshot endpoint from a post-fetch check to a queryset-level filter. The old approach picked the globally latest artifact, then returned 404 if the user lacked access to its project — even when older, accessible artifacts existed. The new approach filters the queryset upfront using request.access.accessible_project_ids, so the query returns the latest artifact the user can actually see.

Also adds an explicit project__status=ObjectStatus.ACTIVE filter to the base queryset so inactive/deleted projects are excluded for all users, including staff and global-access roles. This preserves the status check that the old has_project_access() call performed.

Staff and has_global_access users (superusers, org owners) bypass the project-id filter entirely, keeping their existing behavior intact.

[cameroncooke]

Claude says:

An Ode to PR #116319

Dear Nico, kind shepherd of snapshots and bytes, who heard our small grumble through CI-bound nights — where once .first() plucked baselines we could not behold, and 404s returned where a fallback should've strolled,

You moved the access check up into the where, made queries respect the projects we share. No more "not found" when a sibling team ships; no more org-token tears on developers' lips.

You filtered upfront with accessible_project_ids, preserved the staff carve-out (no privilege denied), added ObjectStatus.ACTIVE for tidy refrain — inactive projects shall not haunt the lane.

Now baselines arrive as the spec foretold: the latest one visible, not just the most old…est in the org. Forgive the mixed meter — my heart beats in markdown, my couplets in JIRA.

So thank you, dear Nico, for closing this loop, for turning a 404 back into a scoop of pristine PNGs in a streaming-zipped trove — sentry-cli salutes you. With permissions. With love.

💚 — a grateful CLI