Allow protectedFields for Authenticated users and Public. Fix userField with keys/excludedKeys

[BufferUnderflower]

1. Allow set protectedFields for authenticated users and public. (Also allows more concise syntax 'authenticated' instead of 'requiresAuthentication' (both will work for now, even combined)
2. ProtectedFields by pointer userField:column were not applied if the column was not requested by client (either listed in excludeKeys or not included in keys)
3. Consistent behavior for any combination of protectedFields. Intersect all applicable sets of fields e.g. multiple roles / authenticated / userField will be intersected per set instead of overriding.

 it('should intersect protected fields when user belongs to multiple roles', async done => {
      const role1 = await createRole({ users: user1 });
      const role2 = await createRole({ users: user1 });

      const role1name = role1.get('name');
      const role2name = role2.get('name');

      await updateCLP({
        get: { '*': true },
        find: { '*': true },
        protectedFields: {
          [`role:${role1name}`]: ['owner'],
          [`role:${role2name}`]: ['test', 'owner'],
        },
      });

      // user has both roles
      await logIn(user1);
      const object = await obj1.fetch();

      // "owner" is a result of intersection
      expect(object.get('owner')).toBe(
        undefined,
        'Must not be visible - protected for all roles the user belongs to'
      );
      expect(object.get('test')).toBeDefined(
        'Has to be visible - is not protected for users with role1'
      );
      done();
    });

Let's say there are admin and moderator roles (or pointers). Admin is allowed to see some field, moder is not. Previously, if user had both roles he wouldn't see the field, because they were combined. But since he has at least one role allowing the field he should to be able to see the field. This is achieved by array intersection.

Same applies for other means of setting protectedFields:

protectedFields:  { 
  '*': ['fieldA','fieldB'] ,
   'authenticated': ['fieldA']`,
   'role:someRole': []'
} 

each of sets will be intersected, e.g. if the role explicitly allows all fields , intersection [fieldA,fieldB] vs [fieldB] vs [] results in [] and only users having this role will get all the fields.
For authenticated users: intersection of [fieldA, fieldB] vs [fieldB] results in [fieldB] - authenticated users will not see only fieldB.

For not authenticated users both fields are hidden.

[codecov]

Codecov Report

Merging #6415 into master will decrease coverage by 0.54%.
The diff coverage is 98.38%.

@@            Coverage Diff             @@
##           master    #6415      +/-   ##
==========================================
- Coverage   93.94%   93.39%   -0.55%     
==========================================
  Files         169      169              
  Lines       11734    11781      +47     
==========================================
- Hits        11023    11003      -20     
- Misses        711      778      +67

Impacted Files	Coverage Δ
src/Controllers/SchemaController.js	96.91% <100%> (+0.06%)	⬆️
src/Routers/ClassesRouter.js	97.93% <100%> (+1.09%)	⬆️
src/Controllers/DatabaseController.js	95.29% <97.72%> (+0.1%)	⬆️
...dapters/Cache/RedisCacheAdapter/KeyPromiseQueue.js	0% <0%> (-95.46%)	⬇️
src/Adapters/Cache/RedisCacheAdapter/index.js	14.28% <0%> (-83.68%)	⬇️
src/Routers/PushRouter.js	93.1% <0%> (-3.45%)	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	92.79% <0%> (-0.68%)	⬇️
src/RestWrite.js	93.48% <0%> (-0.17%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fd0b535...3dade6a. Read the comment docs.

[davimacedo]

It looks good to me. I am not sure about the item below though:

1. Allow set protectedFields for authenticated users and public. (Also allows more concise syntax 'authenticated' instead of 'requiresAuthentication' (both will work for now, even combined)

I think it is not a good idea to have two names for the same thing. @acinader @dplewis thoughts?

[BufferUnderflower]

Stumbled upon this old comment I though authenticated is a better description of a group of users than requiresAuthentication, just left the former variant for backwards compatibility. I'd propose to replace it in all the docs and may be drop completely by next major release or whenever. This also can be applied to CLP.

[davimacedo]

it may be a better name but I am not sure if it is worth to be done since it is a breaking change.

[BufferUnderflower]

Ok just realized there is no point in supporting requiresAuthentication for Protected Fields at all. Though for some reason it could pass validation regex before (used same regex as for CLP permissions) - it had no real effect anyway. So I'll only leave authenticated for Protected Fields.

[davimacedo]

LGTM!