(core) granular access control in the presence of schema changes

Summary:
 - Support schema changes in the presence of non-trivial ACL rules.
 - Fix update of `aclFormulaParsed` when updating formulas automatically after schema change.
 - Filter private metadata in broadcasts, not just fetches.  Censorship method is unchanged, just refactored.
 - Allow only owners to change ACL rules.
 - Force reloads if rules are changed.
 - Track rule changes within bundle, for clarity during schema changes - tableId and colId changes create a muddle otherwise.
 - Show or forbid pages dynamically depending on user's access to its sections. Logic unchanged, just no longer requires reload.
 - Fix calculation of pre-existing rows touched by a bundle, in the presence of schema changes.
 - Gray out acl page for non-owners.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2734

app/client/ui/LeftPanelCommon.ts

@@ -103,6 +103,11 @@ export const cssPageEntry = styled('div', `
     color: ${colors.light};
     --icon-color: ${colors.light};
   }
+  &-disabled, &-disabled:hover, &-disabled.weasel-popup-open {
+    background-color: initial;
+    color: ${colors.mediumGrey};
+    --icon-color: ${colors.mediumGrey};
+  }
   .${cssTools.className}-collapsed > & {
     margin-right: 0;
   }
@@ -126,6 +131,19 @@ export const cssPageLink = styled('a', `
   }
 `);
 
+// Styled like a cssPageLink, but in a disabled mode, without an actual link.
+export const cssPageDisabledLink = styled('span', `
+  display: flex;
+  align-items: center;
+  height: 32px;
+  line-height: 32px;
+  padding-left: 24px;
+  outline: none;
+  text-decoration: none;
+  outline: none;
+  color: inherit;
+`);
+
 export const cssLinkText = styled('span', `
   white-space: nowrap;
   overflow: hidden;

app/client/ui/Tools.ts

@@ -3,7 +3,7 @@ import { urlState } from "app/client/models/gristUrlState";
 import { showExampleCard } from 'app/client/ui/ExampleCard';
 import { examples } from 'app/client/ui/ExampleInfo';
 import { createHelpTools, cssSectionHeader, cssSpacer, cssTools } from 'app/client/ui/LeftPanelCommon';
-import { cssLinkText, cssPageEntry, cssPageIcon, cssPageLink } from 'app/client/ui/LeftPanelCommon';
+import { cssLinkText, cssPageDisabledLink, cssPageEntry, cssPageIcon, cssPageLink } from 'app/client/ui/LeftPanelCommon';
 import { colors } from 'app/client/ui2018/cssVars';
 import { icon } from 'app/client/ui2018/icons';
 import { Disposable, dom, makeTestId, Observable, styled } from "grainjs";
@@ -12,7 +12,7 @@ const testId = makeTestId('test-tools-');
 
 export function tools(owner: Disposable, gristDoc: GristDoc, leftPanelOpen: Observable<boolean>): Element {
   const aclUIEnabled = Boolean(urlState().state.get().params?.aclUI);
-
+  const isOwner = gristDoc.docPageModel.currentDoc.get()?.access === 'owners';
   return cssTools(
     cssTools.cls('-collapsed', (use) => !use(leftPanelOpen)),
     cssSectionHeader("TOOLS"),
@@ -20,9 +20,10 @@ export function tools(owner: Disposable, gristDoc: GristDoc, leftPanelOpen: Obse
     (aclUIEnabled ?
       cssPageEntry(
         cssPageEntry.cls('-selected', (use) => use(gristDoc.activeViewId) === 'acl'),
-        cssPageLink(cssPageIcon('EyeShow'),
+        cssPageEntry.cls('-disabled', !isOwner),
+        (isOwner ? cssPageLink : cssPageDisabledLink)(cssPageIcon('EyeShow'),
           cssLinkText('Access Rules'),
-          urlState().setLinkUrl({docPage: 'acl'})
+          isOwner ? urlState().setLinkUrl({docPage: 'acl'}) : null
         ),
         testId('access-rules'),
       ) :