[support] Restricting file download

[Shérab]

Dear all,

I'm building a site on which certain files should be available for download:
(1) only through https and
(2) only for user with a given role.

One possibility I see to achieve this is to
(1) store the files outside of the documentroot and 
(2) writing a module that registers an URL such as download and takes a
filename as argument.
The module then should check that the connection was secure and that the
user is logged in and has the specified role. It will then send the
file.

I'm wondering whether this approach seemsokay to you or whether there
may be another more simple way to achieve that result.

I'm aware that thee is the "private download" method in D6 but my
understanding of this is that if it is enabled, then all the downloads
will go through Drupal, e.g. css, javascripts, etc., which does not seem
desirable to me and would anyway not be enough to implement what I'm
looking for.

Any advice or suggestion warmly welcome.

Thanks !
Sherab.