Check for user permissions before firing ajax actions

[mathetos]

Reported by @TimothyBJacobs

The Ajax action is restricted to logged-in users, but I don’t think that is sufficient. A logged-in user, perhaps a commenter, could make a request to either download the file or generate a remote viewing URL.

[mathetos]

I should also add a nonce for good measure, then move the update_option() into the conditional check so it's only updated when those conditions are met. So in summary:

• Check user permissions
• add a nonce and verify it
• move the update_option() into the conditional

Pretty much pushing those changes now.