File Upload vs. Post Fields (Image)

When I use Post Fields > Image and a User uploads an image file, an Untitled Draft post is generated as my default Category. Then, a notification is sent to the Admin's e-mail and a thumbnail is visible in the body of the message. The image file is stored in a directory.

This is how the plugin is designed to work. If you use any Post fields in a form, a post will be created. As you've seen, the thumbnail is visible in the admin notification.

When I use Advanced Fields > File Upload and a User uploads an image file. Then, a notification is sent to the Admin's e-mail and a link to the image is visible in the body of the message. The image file is stored in a directory.

This is also true. A link to the file is included when you use a file upload field, because a file could be anything, not just an image, so we could not, for example, embed a Word document in the notification.

I was able to apply a filter to change the file upload directory, but still have concerns about this directory being unsecure and visible to the general public and search engines. (I had to update my .htaccess file to prevent directory browsing and still need to change my meta data to apply a no-follow tag for search engines).

OK.

How I would like the form to work:
1.) User uploads image.
2.) Notification is sent to Admin.
3.) Thumbnail is visible in e-mail and in Form Entries.
4.) Admin can click on thumbnail to view original file but needs to be logged in to do so.

You can include the image in the admin notification if you want, but if it's not a post image, you won't have access to all the different media sizes (thumbnail, small, medium, large, full, etc.) To include the image, after your {all_fields} merge tag, use an image tag with the merge tag for the image upload like this:

<img src="{Image Field:5} />

That will include the full image though, for reasons stated above (only post images are added to the media library in all their different sizes.)

So, my questions and concerns are as follows:
1.) How can I make uploaded image directory totally secure from anyone viewing?

You can use Apache basic auth (in your .htaccess file) but that will prevent the image from showing up in the admin as well until the user logs in the first time.

• I do not require Users to be logged in.
• I run SSL on form pages.
• Current permissions of Upload Directory is set to 755.
• I would like to grant the Contributor Role a Capability to view the Upload Directory when logged in, but do not see an option in Roles setting in WP. (Users > Roles > Capabilities)

There is no capability in WordPress to view images in the upload directory. Additionally, the images you upload with a Gravity Form are not stored in the media library, they are in the wp-content/uploads/gravity_forms/$FORM_ID-randomstring folder. There would be no capability for that either.

*I guess I could password protect the directory on the server side, but not sure if this will effect Users from the ability to upload images? And, I don't really want to deal with 2 separate logins.

If you password protect the directory with .htaccess, the uploads will still work fine, and the image can still appear in the notification email without requiring a login. Clicking through to the full image, if you allow that, would require a login with Apache Basic Auth.

2.) Since I want to see a thumbnail in Notification e-mails and in Form Entries, do I have to use Post Fields > Image only?

Yes. To get access to all the images sizes from the media gallery, including thumbnails, you would need to use a post image.

3.) If I have to use Post Fields > Image, is there anyway to avoid creating an Untitled Post for every single form entry a User makes?

You can use the gform_disable_post_creation filter to disable post creation: http://www.gravityhelp.com/documentation/page/Gform_disable_post_creation

4.) If I have to use Post Fields > Image and an Untitled Post for every single form entry a User makes is generated, how/where can I change the Category from my default category set in my WP settings for Untitled Posts (Settings > Writing > Default Post Category)?

I would skip this part and use gform_disable_post_creation to prevent creating the post in the first place, since you don't need the post, you just want the thumbnail in the admin notification.