Per project protection

app/controllers/files_controller.rb

@@ -1,7 +1,13 @@
 class FilesController < ApplicationController
   def download
-    uploader = Note.find(params[:id]).attachment
+    note = Note.find(params[:id])
-    send_file uploader.file.path, disposition: 'attachment'
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
+      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
   end
 end