Dave, So far as I can tell, the problem you're addressing indeed exists as you describe it: there is no opening in the file api to enable nuanced file access control. And it should be addressed--there's no sense in us having to override/replace our file api just to control access (as was done, e.g., in the ecommerce file.module). Your suggested approach for handling access looks basically sound to me--but it would be more useful to hear from more experienced fileapi-ers. Walkah, killes, dopry, Chris Johnson, etc.? Likley we'd want to keep it as close as possible to existing _api and _access hooks. So, e.g., * @param $op * The type of event ('upload', 'download', 'update', 'delete') might be better as * @param $op * The type of event ('insert', 'view', 'update', 'delete') Are you thinking of doing this as a contrib module for 4.7? Part of ecommerce, or a generic file handling module?