Can't you just check the user has permissions before serving the file? Throwing exception if they're not authorised.
BTW using local files is usually a bad idea (portability, scalability, transactions etc). Have you considered storing in the db or a blobstore?
