What about protecting attached files?

>it would seem intuitive that Content Access would align the permissions for an attachment with the permissions for the node it's attached
to

It's already that way as soon as you enable private file downloads.

Not for me. When I attach a file to content that only a particular role can view, then log out, I can open that file just by pasting its URL in the browser. I can also open it if I log in as a different user.

I have the same issue. I am happy to look at the code, if you (fago) think it can be added/fixed in the module. I would prefer not having to manage file issues somewhere else, as Content Access keeps everything clean.

I am looking for the same exact feature.

Would like to attach a video flv file to the node and let only authorized users access them (view it in a flash player module like flashvideo). I am concerned that users could bypass this and go straight for the file.

I notice there is a lightweight module for this that uses htaccess like http://drupal.org/project/downld which is super simple with 5 lines of code.

Has this bug been fixed? I see an even different behaviour, if I attach a file to a content type that I restricted to a certain role then:
- the unauthorized users can still access the attachment via url
- the authorized user *can not* see the attachment in the site
- administrator (or users in administrator group) can see the page and the attach shows up

that is, the file is there for everybody but it doesn't show in the page as an attachment.

Well it depends on the module caring for the file upload - it has to respect node access. If it doesn't, content access has no chance to deal with it. If it does, it should already work.