Keep uploads private until content containing them is published

[rmccue]

We have the backend ability to set uploads as private in S3 Uploads, but we have not hooked this up to any default behaviour in Altis. We have built this previously, so may have code we can reuse here.

Our core use case is ensuring that media does not go live before content does, which is important for users who have embargos or may be publishing things like financial results.

For example, as a content author for a banking institution, when I am writing a post about our financial year's results, the images and PDFs from the content should not be accessible to unauthorised users until the post is published.

Another example: as a content author for a gaming website, when I am writing a post about a new game with an embargo, the images embedded in the content should not be accessible to unauthorised users until the post is published.

For the global media library, we are leaving this out of scope; i.e. all global media is public. (We may choose to revisit this in the future.)

(We will reach out internally to capture any additional use cases we may have missed, but may scope those into new tickets.)

Acceptance criteria:

• As an author on a site, when I upload an image to a draft post, I should not be able to see the image without having access to view the post.
• As an author on a site, when I publish a post, I should be able to view all images in the post without needing to log in
• As an author on a site, when I select an image from the global media library,
• When I view an image in the media library, I should be able to see whether it is public or private

[johnbillion]

Is this on the roadmap?