We handle permissions incorrectly in the milestones resolver
Our guidance is that resolvers do not raise for missing permissions, but instead we must return null
.
This is violated in the milestones resolver, which performs permission checks up-front (good!) and then raises (bad!).
Instead we should just use a field authorization for these resolvers.