Add configurable setting that enforces explicit AND between multiple node access modules

One problem that I've seen crop up several times in the Module Grants issue queue is that multiple node access modules don't interact in the way that the user would expect. One of the reasons for this, I think, is because the requirement that node access be granted for each and every node access module is too strict based on how most node access modules have been built.

Let me give an example. Let's say I have several node types, and am using a workflow with Workflow Access on only one of them. And let's also say that I'm using TAC-lite to limit access on a taxonomy that's only being used on one node type -- a different one that has the workflow. Here's what happens with Module Grants -- because the node type with the taxonomy doesn't have a workflow, all access is blocked to it because Workflow Access has nothing to say about it. And vice versa, all access is blocked to the node type with a workflow because TAC-lite has nothing to say about it. Only in the case where we want both TAC-lite and Workflow Access to operate on a particular node type does one get the expected behavior.

My solution for this is to add a configurable setting that, when enabled, enforces access for multiple node access modules only when *both* of them have a row in the node access table for that particular nid. In other words, it enforces an AND between multiple node access modules only when they have an explicit setting.

Attached is a patch that adds this setting. It works great on my local setup where I'm using Workflow Access and a second custom node access module that acts a lot like TAC-lite. Without it, I'd have to add empty shell workflows to multiple node types.

I think there's even an argument for making this the default setting, and using the setting to turn on the stricter implicit AND. But regardless, I think this option makes Modules Grants more useful in a wider range of applications.