Add support for Private files to CKEditor/Filter module file uploading

[quicksketch]

Today's Drupal security release included a vulnerability in the D8 Editor module: https://www.drupal.org/SA-2017-001. In checking if we were affected by this issue, it has been determined that we are not affected because we do not support the feature that introduced it.

There are suite of tickets on Drupal.org related to this issue:

• #2744197: Proper private file support for images uploaded via EditorImageDialog
• #2841761: Bugfix for proper private file support for images uploaded via EditorImageDialog
• And a security issue that was fixed today that we can't link to.

It would good if we could support such a feature though: Right now you can cause a problem with private files by doing the following:

• Install Backdrop.
• Update the file system settings and add a directory for a private file path. This enables using private files throughout Backdrop.
• Edit the Filtered HTML text format and set the file upload mechanism to be Private instead of Public.
• Create a piece of content and upload a file. Save the content. Upon viewing the node, the file that was just uploaded will no longer be visible.

This is because uploading a file into a node registers a usage in the file_usage table as being "owned" by filter module, but Filter module does not implement hook_file_download() to allow access to the file that was uploaded inline.

To fix this, we'll need to add filter_file_download(), we can essentially port the implementation from D8's editor_file_download(), using it as a template as the basic idea is the same.

[olafgrabienski]

Has this already been fixed somehow in the meantime? I followed the steps and uploaded a private PDF file using CKEditor with the Filtered HTML format. After enabling the permission to view private files for authenticated users, I was able to view the file as authenticated user at the path example.com/system/files/inline-files/dummy.pdf.