Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID.

How to reproduce:
1. Create 2 users, user1 and user2
2. Create a page with user1 and set the page view and edit restrictions to "Me"
3. Create a subpage to this page with user1
4. Correct: Subpage inherits the restrictions, so no one else but user1 can see both pages
5. Send a POST request with user2 to /pages/attachfile.action with a file and the content ID of the parent page
6. Correct: An error occurs because user2 has no permissions to upload attachments
7. Send the same POST request to the content ID of the subpage
8. File is being attached to page :-O

Testet with Confluence 4.2 and 3.5.13