Consistent and flexible derivative access check

Tests failed, I guess the reason is that we check access before the file exists, so we can't return the proper headers and stuff. To be able to support this, I guess we need to move the access check below actually creating the file. I don't think that is a performance problem because having to create the derivate is a one-time special case anyway and is slow already.

Note: This looks a bit confusing, but what happens is that image.module translates the derivate url to the original url and calls hook_file_download() again and allows access if access to the original image is allowed.

What this change actually consistently allows is applying different access rules for different derivates (and different than the original). I think. Would be a good idea to add tests for that.

And more:

• Derivative should NOT have hardcoded the same access perms as the original. Modules must be able to give derivatives different access perms than the original. Imagine a picture store/gallery where we want to serve anonymous visitors with small, low resolution, watermarked thumbnails while we want to deny access to the original, high definition picture
• [Performance] Even more: Sitebuilders should be able to set derivatives as public (public://) while still having originals as private (private://). And this is not only for access reasons but for performance. For every small thumbnail on the same "poster store" the request is traversing Varnish, hitting Apache, hitting PHP and then hitting in the heart of Drupal. Why? This is too expensive.

My proposal:

1. Let modules decouple original from derivative in terms of access.
2. Let admins configure the derivative to be public (per-style setting only if private:// is enabled)
3. By default let the actual behavior.

After converting the image system to OOP I feel that this is a non-issue.

I'm closing it. Feel free to reopen if I was wrong.

english please.