Check CurrentUserCanSee before trying to add an attachment since it
could otherwise end up empty now that we have the correct current user.

Additionally, simply check RT::Transaction's CurrentUserCanSee when
iterating inside an RT::Attachments object rather than maintaining a
different but similar conditional tree.  CurrentUserCanSee correctly
access checks transaction types like EmailRecord, for example.

This resolves part of CVE-2011-2084.