Attach non-public files

Here is one approach, using drupal variable to specify additional allowed paths.

Whoops, had the wrong if condition.

Thank you for the patch!
Admin UI for the new variable is desirable.

Your solution is ideal for images located in the site's theme directory.

Added admin UI for the new variable.

Added a related issue with an alternative approach (with an alter hook).

#13
You're right about "The problem with exposing a hook is that likely other modules won't have enough context to decide if it is safe to allow the file or not.".
I dropped the patch here and in the issue-queue more like a reference.

Regarding the security-issue.
The permission and public-file checks has been introduced and improved in 2 security commits:
- https://www.drupal.org/node/1719482
- https://www.drupal.org/node/2211419
Before those commit, you could attach everything (like settings.php).

It should be mentioned that this security issue in #14 also prevent files to be attached if they're inside the private file system.
See #2183955: Private File System and image not being embedded - Could someone advice me..

Thanks for the work done with this issue.
Patch from comment #11 works for us to allow mailing webform uploads from a private folder without having to allow every non-public file to be mailed as an attachment.

While I don't really see a scenario where an attacker can attach any file (who has access via shell or something can access any file and circumvent any security measures anyways), I think that the solution with additional paths in #11 just shifts the problem to a different realm.

On one hand, granting a role "send arbitrary files" restricts potential attackers to users of this role.

On the other hand, configuring allowed paths opens these paths up for any user and potential attacker no matter what role he/she has. This is okay for theme files, but not for private files.

The questions is: What is worse or less bad?

I like the file module's approach with hook_file_download_access() with which access can be determined on file basis. Maybe something like hook_mimemail_attachment_access() with _mimemail_file() passing it the whole attachment as set in hook_mail() instead of just the URL. This way a module implementing hook_mail() can set the attachment including data required for having enough context for access determination if necessary.

With Webform now defaulting to Private File system storage (if available), this patch brings valuable utility when used in conjunction with webform_clear, or if you have a non-drupal document workflow.

I'll post a patch with updated UI wording to more clearly (hopefully) explain the private file option alongside the theme option. We'll look at putting the patch through it's paces.

For the record, Private file systems can be broadly specified as Private:// or directly ../acquia-files/files-private - this works outside the docroot too.

Happy for any alternate suggestions on wording or configuration.

If we end up rolling out a Webform+webform_clear+mimemail+PrivateFiles workflow, we'll also endeavour to post a how-to for noobs.

(this time including the title label change and a screencap).

#20 Works as described.

Thanks so much for this!

This patch really needs test cases.

But I'll leave the issue at RTBC because the Mime Mail module doesn't have working tests for anything yet, so it would be a bit unfair to hold this patch back.

Adding test coverage is going to take some time, and it should be done incrementally rather than going back and trying to figure out what should be tested. That's why I think that this patch, which adds a new feature, should have tests written for it NOW so that we can see the feature works and prevent it from being broken by other code changes. And frankly having tests helps show the maintainer that this feature does the right thing and should be committed.