(core) process GristDocAPI calls from custom widgets in the client

Summary:
Processing these calls in the client, rather than passing them on
to the backend, means that access rules are more straightforward to
apply.

An unrelated fix is included to filter _grist_ tables when fetched
individually - metadata could leak through this path.

Test Plan: added tests

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D2954

app/server/lib/ActiveDoc.ts

@@ -621,6 +621,20 @@ export class ActiveDoc extends EventEmitter {
 
     this._granularAccess.assertCanRead(tableAccess);
 
+    if (query.tableId.startsWith('_gristsys_')) {
+      throw new Error('Cannot fetch _gristsys tables');
+    }
+
+    if (query.tableId.startsWith('_grist_') && !await this._granularAccess.canReadEverything(docSession)) {
+      // Metadata tables may need filtering, and this can't be done by looking at a single
+      // table.  So we pick out the table we want from fetchMetaTables (which has applied
+      // filtering).
+      const tables = await this.fetchMetaTables(docSession);
+      const table = tables[query.tableId];
+      if (table) { return table; }
+      // If table not found, continue, to give a consistent error for a table not found.
+    }
+
     // Some tests read _grist_ tables via the api.  The _fetchQueryFromDB method
     // currently cannot read those tables, so we load them from the data engine
     // when ready.

app/server/lib/GranularAccess.ts

@@ -636,7 +636,7 @@ export class GranularAccess implements GranularAccessForBundle {
     // If user has right to read everything, return immediately.
     if (await this.canReadEverything(docSession)) { return tables; }
     // If we are going to modify metadata, make a copy.
-    tables = JSON.parse(JSON.stringify(tables));
+    tables = cloneDeep(tables);
 
     const permInfo = await this._getAccess(docSession);
     const censor = new CensorshipInfo(permInfo, this._ruler.ruleCollection, tables,