(core) granular access control in the presence of schema changes

Summary:
 - Support schema changes in the presence of non-trivial ACL rules.
 - Fix update of `aclFormulaParsed` when updating formulas automatically after schema change.
 - Filter private metadata in broadcasts, not just fetches.  Censorship method is unchanged, just refactored.
 - Allow only owners to change ACL rules.
 - Force reloads if rules are changed.
 - Track rule changes within bundle, for clarity during schema changes - tableId and colId changes create a muddle otherwise.
 - Show or forbid pages dynamically depending on user's access to its sections. Logic unchanged, just no longer requires reload.
 - Fix calculation of pre-existing rows touched by a bundle, in the presence of schema changes.
 - Gray out acl page for non-owners.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2734

app/client/aclui/ACLUsers.ts

@@ -60,6 +60,7 @@ export class ACLUsersPopup extends Disposable {
     const doc = pageModel.currentDoc.get();
     if (doc) {
       const permissionData = await pageModel.appModel.api.getDocAccess(doc.id);
+      if (this.isDisposed()) { return; }
       this._usersInDoc = permissionData.users.map(user => ({
         ...user,
         access: getRealAccess(user, permissionData),

app/client/aclui/AccessRules.ts

@@ -152,6 +152,7 @@ export class AccessRules extends Disposable {
    * Replace internal state from the rules in DocData.
    */
   public async update() {
+    if (this.isDisposed()) { return; }
     this._errorMessage.set('');
     const rules = this._ruleCollection;
     [ , , this._aclResources] = await Promise.all([