FEATURE: Add support for secure media (#7888)

This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. 

A few notes: 

- the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads
- the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured
- upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status
- when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error
- when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3

lib/post_creator.rb

@@ -177,6 +177,7 @@ class PostCreator
         update_user_counts
         create_embedded_topic
         link_post_uploads
+        update_uploads_secure_status
         ensure_in_allowed_users if guardian.is_staff?
         unarchive_message
         @post.advance_draft_sequence unless @opts[:import_mode]
@@ -366,7 +367,15 @@ class PostCreator
   end
 
   def link_post_uploads
-    @post.link_post_uploads
+    disallowed_uploads = @post.link_post_uploads
+    if disallowed_uploads.is_a? Array
+      @post.errors.add(:base, I18n.t('secure_upload_not_allowed_in_public_topic', upload_filenames: disallowed_uploads.join(", ")))
+      rollback_from_errors!(@post)
+    end
+  end
+
+  def update_uploads_secure_status
+    @post.update_uploads_secure_status
   end
 
   def handle_spam