Apache DolphinScheduler: The `/v2` experimental interface lacks permission checks

An authenticated attacker can call the `/v2` experimental API endpoints for `view-gantt`, `view-variables`, `start-workflow-instance`, or `batch-start-workflow-instance` with a `projectCode` belonging to another project. Because the server did not verify that the login user had permission on that project, the attacker could read another project's workflow instance details or trigger (rerun/backfill) another project's online workflows. No special privileges beyond a valid session are required.

The `viewGantt` and `viewVariables` endpoints in `WorkflowInstanceServiceImpl`, and the `triggerWorkflowDefinition` / `backfillWorkflowDefinition` endpoints in `ExecutorServiceImpl`, lacked project-level authorization checks. The patch adds calls to `projectService.checkProjectAndAuthThrowException()` in these methods and propagates the `projectCode` path variable through the controller layer.

The patch inserts `projectService.checkProjectAndAuthThrowException(loginUser, projectCode, RERUN)` (or `WORKFLOW_INSTANCE`) at the top of each vulnerable service method before any data is read or transformed. It also adds a cross-check that the resolved `WorkflowDefinition` belongs to the URL's `projectCode`, throwing `WORKFLOW_DEFINITION_NOT_EXIST` if they mismatch. The controller layer now propagates `projectCode` into the request builders so the service layer can perform the check.