logged in user can delete any attached file

[nemo]

Hi, setting up a ccTiddly based on the 1.8.5 code...

Regular logged in users can delete attached files, even when they are explicitely denied the ability to delete tiddles themselves.

As it stands, the only way I can see to protect my uploaded files is to only allow admin to upload files. (which also denies users from even viewing the gallery of files available (only from within ccTiddly though - if their httpd allows directory viewing, and they know/can guess the path, then they can find them regardless)

ideally (imho): file 'viewing gallery'/upload new/deletion should follow the default_anonymous_perm and default_user_perm used for regular tiddles.