* fix preview permissions not granting access to the draft's files if
  they are restricted
* also refactor the permission levels for shared access (links & grants)
  to be easier to handle
* the latter unfortunately introduces duplicate generators in the policy
  and is thus a bit wasteful - if that turns out to be a problem, that
  should be updated in the future (e.g. via sets)