Incorporate `public` and `forbidden` base fields in granular permissions

[slifty]

Base fields can be public and restricted -- right now we use those labels for various logic at the query level, but we can actually apply them in the permission checks. Ultimately these affect permission logic when viewing ProposalFieldValues and ChangemakerFieldValues.

To that end, we can update the has_proposal_field_value_permission (and eventually has_changemaker_field_value_permission) to have some extra logic depending on the related base field permission.