parapente
commented
1 month ago If you enable "Secure attachment downloads" from the extension options you shouldn't be able to download the file if you don't have access. All attachments should lead you to a joomla url like the following: https://...../index.php?option=com_attachments&task=download&id=56 and the extension does check the permissions you have set.
Now if someone has the link as a path on the server like https://...../attachments/article/1/a.pdf then the extension cannot do anything as the web server serves the file and php is not executed at all. You need to properly configure the web server to deny access to that folder.
If the issue you have is nothing like what I described above, feel free to reopen.
The attached files, if assigned to registered users, are visible only for these users but knowing the link of the file is always possible to access and download it even with "public" permissions. Is it possible to attribute ownership to the file so that it can not be downloaded except by the specified user group?