If you are working with files on your Drupal website that you need to keep secure, meaning for example no one except user with role X can see the file, there is a module for you. It is called Private Upload module.

The issue with private/public downloads in Drupal

With Drupal 6, you have a choice between private and public file downloads. If, for instance, you made your entire file system set to private downloads, a user would need to have the permission "view uploaded files." You can give this permission to anonymous users, but then what is the point? What if you want to upload a site admin manual that only your authenticated users can see and no one else?

Using Private Upload Module

Once you install Private Upload module, you can set files to private on a per-file basis. This is the perfect solution for the above issue. After uploading a file using core’s Upload module, a check box will appear that says "private." Just check it off to allow ONLY users with the permission "view uploaded files" to see it.

Trouble Installing

After I installed Private Upload on a Drupal 6.16 install, I used it to upload a file and make it private so anonymous users couldn’t see it. Seemed to work, except the URL of file was something like “system/files/private”. No file name, wtf? Subsequently I ran cron, and I got an error that a test file could not be written to my “private” directory (which is a subdirectory of sites/default/files). I checked on my server, and it wasn’t there… I don’t know what happened, but I put a “private” directory in sites/default/files, ran cron again, and everything worked. I had to re-upload the file I made private, but I’m just happy the module works.

Location of private files and linking to them

All files you make private will be stored in "sites/default/files/private/file-name" which gets the alias "system/files/private/file-name". You won’t be able to access the file from "sites/default/files/private" and instead only from "system/files/private" (even though you have "view uploaded files" permission). The reason I bring this up is because if you are using a file browser like IMCE, although your “private” folder will appear in the list of files to link to, the link won’t work.