Permission checks in dload.php were not broad enough. We were only checking permissions and privileges on the category of the download. We should have been doing a global check (e.g., permission to the module as a whole was denied).
This resolution does not fix issues with dload.php bypassing .htaccess files or redirects; I will consider those a separate issue.
System message - Issue updated
Also, Apache redirects do not affect dload.php.
Also, .htaccess does not affect dload.php.
Also, the permissions tree editor does not affect dload.php.
Something is FUNDAMENTALLY BROKEN.
System message - Issue updated
Permission checks in dload.php were not broad enough. We were only checking permissions and privileges on the category of the download. We should have been doing a global check (e.g., permission to the module as a whole was denied).
This resolution does not fix issues with dload.php bypassing .htaccess files or redirects; I will consider those a separate issue.