The site is protected by user verification. And users upload files that are not intended for public viewing. But despite the fact that I have security provider installed, if in the address bar of the browser to type the domain/directory/file_name.extension anyone can viewing or download this file. How to make viewing of these files available only to registered users?
To view the files I use the power of the browser itself. Now browsers perfectly read most types of files (jpg, png, pdf), and that can not read automatically download. I use this to avoid designing unnecessary functionality. I just give a link to the file and the user opens the file for viewing directly in the browser, or downloads it to his computer (xlsx, docx).
After reading the article recommended by you, I realized that through .htaccess I completely prohibit access to files by direct link. It turns out that even verified users will not be able to watch files by direct link, I understand correctly?
We also have a server connect download action. So you can fully secure them with htaccess and make a special server connect action to download them only after passing some authorization for example.