Fix web share permission access controls (#362)

* fix: align web share permission access UX

* chore: add test

* fix: keep full access grants reversible

* fix: improve landing page error details

* test: harden embedded database duplicate edits

Author: appflowy

playwright/bdd/features/page/full-access-share-management.feature

@@ -0,0 +1,86 @@
+@full-access-share-management
+Feature: FullAccess private page share panel controls
+  The fa0522 FullAccess share-management fixture already exists in the local AppFlowy Cloud database.
+  These scenarios verify the web share panel controls for owner, member, and guest users on private pages.
+
+  Background:
+    Given the seeded fa0522 full access share-management fixture exists
+
+  # Expected result: the private-page owner can manage shares and grant Full access.
+  Scenario: Owner sees share-management controls on a private page
+    Given I sign in as full access seeded "owner"
+    When I open the full access seeded "owner control private page"
+    And I open the share panel
+    Then the full access share panel shows seeded "owner" with "Full access"
+    And the share panel general access is "Restricted"
+    And the full access share panel can prepare an invite
+    And the full access invite access selector offers "Full access"
+
+  # Expected result: a workspace member with explicit FullAccess can manage sharing on the private page.
+  Scenario: FullAccess member sees share-management controls on a private page
+    Given I sign in as full access seeded "full access member"
+    When I open the full access seeded "member full access private page"
+    And I open the share panel
+    Then the full access share panel shows seeded "owner" with "Full access"
+    And the full access share panel shows seeded "full access member" with "Full access"
+    And the share panel general access is "Restricted"
+    And the full access share panel can prepare an invite
+    And the full access invite access selector offers "Full access"
+
+  # Expected result: a workspace member with edit access can open the share panel but cannot invite or grant access.
+  Scenario: Edit member sees read-only share-management controls on a private page
+    Given I sign in as full access seeded "edit member"
+    When I open the full access seeded "member edit private page"
+    And I open the share panel
+    Then the full access share panel shows seeded "owner" with "Full access"
+    And the full access share panel shows seeded "edit member" with "Can edit"
+    And the full access share panel invite controls are read-only
+    And the full access seeded "edit member" access menu only allows removing self
+
+  # Expected result: a workspace guest with explicit FullAccess can manage sharing on the private page.
+  Scenario: FullAccess guest sees share-management controls on a private page
+    Given I sign in as full access seeded "full access guest"
+    When I open the full access seeded "guest full access private page"
+    And I open the share panel
+    Then the full access share panel shows seeded "owner" with "Full access"
+    And the full access share panel shows seeded "full access guest" with "Full access"
+    And the share panel general access is "Restricted"
+    And the full access share panel can prepare an invite
+    And the full access invite access selector offers "Full access"
+
+  # Expected result: guests without FullAccess can open explicitly shared private pages but cannot manage sharing.
+  Scenario Outline: Non-FullAccess guests see read-only share-management controls
+    Given I sign in as full access seeded "<account>"
+    When I open the full access seeded "<page>"
+    And I open the share panel
+    Then the full access share panel shows seeded "owner" with "Full access"
+    And the full access share panel shows seeded "<account>" with "<access>"
+    And the full access share panel invite controls are read-only
+    And the full access seeded "<account>" access menu only allows removing self
+
+    Examples:
+      | account    | page                         | access   |
+      | edit guest | guest edit private page      | Can edit |
+      | read guest | guest read only private page | Can view |
+
+  # Expected result: a guest with Can view can open the private page but cannot change its title.
+  Scenario: Read guest cannot edit a private page title
+    Given I sign in as full access seeded "read guest"
+    When I open the full access seeded "guest read only private page"
+    Then the full access seeded page title is visible
+    And the full access page title cannot be edited to "fa0522 Read Guest Rename Probe"
+
+  # Expected result: a guest with Can edit can change the private page title.
+  Scenario: Edit guest can edit a private page title
+    Given I sign in as full access seeded "edit guest"
+    When I open the full access seeded "guest edit private page"
+    Then the full access seeded page title is visible
+    And the full access page title is editable
+    When I rename the full access page title to "fa0522 Edit Guest Rename Probe"
+    Then the full access page title is "fa0522 Edit Guest Rename Probe"
+
+  # Expected result: a workspace guest without an explicit page share cannot open the owner's private page.
+  Scenario: Unshared guest cannot open a private page
+    Given I sign in as full access seeded "no share guest"
+    When I open the full access seeded "owner control private page"
+    Then the full access seeded "owner control private page" is not opened

playwright/bdd/features/page/seeded-role-matrix.feature

@@ -0,0 +1,111 @@
+@seeded-role-matrix
+Feature: Seeded role matrix private page permissions
+  The rm0521 role-matrix fixture already exists in the local AppFlowy Cloud database.
+  These scenarios verify the web UI behavior for owner, member, guests, and nonmember accounts.
+
+  Background:
+    Given the seeded rm0521 role matrix fixture exists
+
+  # Expected result: a private page shared to a guest only lists the owner and that guest.
+  # Workspace co-owners, members, other guests, and nonmembers must not appear as inherited full-access users.
+  Scenario: Owner private page share panel only lists explicit guest access
+    Given I sign in as seeded "owner"
+    When I open the seeded "owner guest read private page"
+    And I open the share panel
+    Then the share panel shows seeded "owner" with "Full access"
+    And the share panel shows seeded "guest reader" with "Can view"
+    And the share panel does not show seeded "co-owner"
+    And the share panel does not show seeded "member"
+    And the share panel does not show seeded "guest writer"
+    And the share panel does not show seeded "guest no share"
+    And the share panel does not show seeded "nonmember"
+    And the share panel general access is "Restricted"
+
+  # Expected result: a private page shared to a workspace member lists that member with edit access,
+  # without leaking other workspace members or guests into the people-with-access list.
+  Scenario: Owner private page share panel lists explicit member access
+    Given I sign in as seeded "owner"
+    When I open the seeded "owner member write private page"
+    And I open the share panel
+    Then the share panel shows seeded "owner" with "Full access"
+    And the share panel shows seeded "member" with "Can edit"
+    And the share panel does not show seeded "co-owner"
+    And the share panel does not show seeded "guest reader"
+    And the share panel does not show seeded "guest writer"
+    And the share panel does not show seeded "guest no share"
+    And the share panel does not show seeded "nonmember"
+    And the share panel general access is "Restricted"
+
+  # Expected result: a read-only guest can open the explicitly shared private page,
+  # sees restricted general access, and cannot edit the page title.
+  Scenario: Guest reader can open the shared private page but cannot edit the title
+    Given I sign in as seeded "guest reader"
+    When I open the seeded "owner guest read private page"
+    Then the seeded page title is visible
+    And the page title is read-only
+    When I open the share panel
+    Then the share panel shows seeded "guest reader" with "Can view"
+    And the share panel general access is "Restricted"
+
+  # Expected result: a write guest can open and rename the explicitly shared private page.
+  Scenario: Guest writer can open and rename the shared private page
+    Given I sign in as seeded "guest writer"
+    When I open the seeded "owner guest write private page"
+    Then the seeded page title is visible
+    And the page title is editable
+    When I rename the page title to "rm0521 Writer BDD Rename Probe Private Page"
+    Then the page title is "rm0521 Writer BDD Rename Probe Private Page"
+
+  # Expected result: a workspace co-owner does not inherit access to another user's unshared private page.
+  Scenario: Co-owner cannot open the owner's unshared private page
+    Given I sign in as seeded "co-owner"
+    When I open the seeded "owner unshared private page"
+    Then the no access page is shown
+
+  # Expected result: a normal workspace member does not inherit access to another user's unshared private page.
+  Scenario: Member cannot open the owner's unshared private page
+    Given I sign in as seeded "member"
+    When I open the seeded "owner unshared private page"
+    Then the no access page is shown
+
+  # Expected result: a workspace member can open and edit a private page explicitly shared to them.
+  Scenario: Member can open the owner private page explicitly shared to them
+    Given I sign in as seeded "member"
+    When I open the seeded "owner member write private page"
+    Then the seeded page title is visible
+    And the page title is editable
+
+  # Expected result: a workspace member can open a page in a public space while it is public.
+  # After the owner changes that space to Private in the web UI, the same member loses access to
+  # the page and sees the no-access screen instead of the private-space content.
+  Scenario: Member loses access when a public space becomes private
+    Given I sign in as seeded "owner"
+    And I create a temporary public space page in the seeded workspace
+    When I open the temporary seeded page
+    Then the temporary seeded page title is visible
+    When I sign in as seeded "member"
+    And I open the temporary seeded page
+    Then the temporary seeded page title is visible
+    When I sign in as seeded "owner"
+    And I change the temporary seeded space permission to "Private"
+    And I sign in as seeded "member"
+    And I open the temporary seeded page
+    Then the no access page is shown
+    And the temporary seeded space is hidden from the sidebar
+    And the temporary seeded page editor is not visible
+
+  # Expected result: a guest with no explicit share cannot open workspace pages or another guest's shared private page.
+  Scenario: Guest with no page share cannot open seeded pages
+    Given I sign in as seeded "guest no share"
+    When I open the seeded "public page"
+    Then the no access page is shown
+    And the seeded page title is not visible
+    When I open the seeded "owner guest read private page"
+    Then the no access page is shown
+
+  # Expected result: a user outside the workspace cannot open the seeded workspace public page.
+  Scenario: Nonmember cannot open the workspace public page
+    Given I sign in as seeded "nonmember"
+    When I open the seeded "public page"
+    Then the no access page is shown
+    And the seeded page title is not visible