This change stops the prevent-destroy permission from applying to records within
projects that are `pending_delete: true`. The purpose of the `prevent` is to
make "archived" projects reliably read-only, but this obviously shouldn't be the
case if someone is deleting a project.

This hasn't been an issue before since we relied on FK constraints to remove the
associated records after a project is deleted. But with the FKs going away in
the database decomposition effort, so too must our cascading destroys.

Changelog: fixed