When using a file storage service that expires URLs (such as Amazon S3),

we can end up caching URLs to assets that end up expiring upon later

viewing. This has always been a problem, depending on configuration, but

is more noticeable now with S3 since we're using some modern

dependencies that seem to default to storing assets non-publicly (making

it tricker to work around otherwise).
The solution to this is to provide stable URLs for file attachments.

When accessed, these check for valid permissions to access the content

(helping avoid scanning for attachments a malicious user shouldn't have

access to) and then redirect to the file in storage.
This can also help with keeping URLs stable when moving between storage

backends.
Presently, this adds some additional overhead to the file attachment

APIs, in terms of database queries. These are known issues already, and

will be addressed separately.

Unit tests pass.
Manually tested both user-uploaded file attachments and review request

file attachments, making sure that the HTML contains the correct URLs

and that the content was accessible.