Better documentation needed on file access control

This was initially reported by @JKingsnorth as a security issue (#156628), but the maintainer @mpotter confirmed this was by design and only the documentation needs to be improved.

Original report:
=====

Summary

When uploading files to private content via the Media Browser none of OA's custom access control is applied, so it is visible to anonymous users. The files can then be accessed by users guessing the numeric file ID in sequence.

Steps to recreate

From a blank installation of OA:
* As admin, create a new space. Make the space 'Private'.
* Add a section to the space 'Private section'
* Use the WYSIWYG editor 'Media Browser' to upload a file or image and insert it into the body content. Save the section.
* Click on the file in the content to access the 'file' page (eg: /file/69). Note the URL.

* Log out and paste the URL into the browser
* Notice that an anonymous user can see (and if a pdf, download) the file - which is not the expected behaviour.

Possible solution

The correct way to access control content is to attach the file to the content via the attachments field, or via the 'media' paragraph. But users will not always do this.

The media browser does register that the file is in use by the content in the file usage table. So when checking 'view' access to a file you could look up the file's usage (file_usage_list) and perform an access check on each usage and returning TRUE if they can see any of the content the file is attached to.

Response:
=====
"This is actually "by design" and maybe just needs better documentation. File access in Open Atrium is only done on files attached to the Attachments field (on the node itself, or via Paragraphs). Files embedded via the WYSIWYG are not controlled. The problem is that the file_usage only keeps track of file counts and the id of a single node. So while it could work for new files uploaded to the WYSIWYG, it would not work for existing media that you can select in the Media Browser and re-use."

"Maybe a note in the readme linking to a new doc page for 'File access control' or 'Securing files' or something suitably obvious? I don't mind helping out with the doc page if that's the way forward."