This doesn't work. Below is a link to a file I've uploaded to a course files area. The course is set to allow guest access and autologin guests. So, when you click on the link, it should take you directly to the file.
Here is the link to that course
Also, my moodle_data directory is outside the public_html folder.
It looks like moodle allows anyone with access to a course, to have access to any file in the files directory...all the student need do is figure out the url.
I don't think this is a security problem as far as Moodle goes, but I do think this in not well understood by most people...I've been working with Moodle for a few years and I didn't understand it until this post. It seems to me that "logic" would lead a person to believe anything they placed in the files folder in the teachers administration area would only be available to teachers of that course (and site admin of course) unless they made the file available to others...but, it seems that is not the way it works. Bottom line....there is no "protected" files storage area in Moodle for teachers (at least in a default install), without maybe creating a closed course (with no students) and using that to store files.
It's logical that teachers would want to store private files in their courses....quiz keys, memos, student evaluations, etc, and it's logical that they would "assume" the files area would be a place to do that....however, as we see here, that will not work....(well, it will work, but their students could access them)
There has always been the warning that files placed in the "site files" area are available to everyone. It seems that files placed in the course files area are available to everyone in the course. This makes more sense to me now...bottom line, if a person has access to a course (and the site--frontpage of Moodle--is just another course--course 1), then they have access to all files stored in that course.
Maybe there is a way to protect a subdirectory in the files area, but it seems that placing a "." at the beginning of the directory doesn't do it.
Now, all of this could be wrong....this is just the the way I understand it from my experimenting.