Subscribing to a group via CiviMail should be only able for groups with public visibility

Currently, anyone can subscribe to any group via CiviMail. This is a vulnerability, at least for the following reasons:

1. On a site which uses group-based ACLs and has CiviMail enabled, anyone knowing their contact's primary location's first email address can get themselves added to any group they can guess the group_id of.

2. On a site which (a) has CiviMail enabled, (b) allows anonymous users to create Drupal accounts and (c) has CiviCRM enabled for authenticated users, anyone can get a Drupal account with their email address and then get the counterpart CiviCRM contact added to any group.

3. Mailing CiviMail from an email address not already being the first primary address of a contact's primary location, a new contact is created; this can be used to contact-spam a CiviCRM instance.

For 1.7, we should allow people to subscribe only to groups with public visibility. For 1.8/2.0, we should come up with a more versatile solution.