--- upload.module	2008-08-14 01:59:14.000000000 +0200
+++ upload.module	2008-09-18 23:08:42.000000000 +0200
@@ -147,17 +147,24 @@ function _upload_file_limits($user) {
 function upload_file_download($filepath) {
   $filepath = file_create_path($filepath);
   $result = db_query("SELECT f.*, u.nid FROM {files} f INNER JOIN {upload} u ON f.fid = u.fid WHERE filepath = '%s'", $filepath);
-  if ($file = db_fetch_object($result)) {
+  $handled_by_upload_module = false;
+  while ($file = db_fetch_object($result)) {
+    $handled_by_upload_module = true;
     if (user_access('view uploaded files') && ($node = node_load($file->nid)) && node_access('view', $node)) {
+      // User has access to a node where the file is attached. No need to check for other nodes.
       return array(
         'Content-Type: ' . $file->filemime,
         'Content-Length: ' . $file->filesize,
       );
     }
-    else {
-      return -1;
-    }
+    // else: The user was not allowed to see this node. Check for other nodes
+    // that have this file, or return -1 if no node is accessible.
+  }
+  if ($handled_by_upload_module) {
+    // The file was handled by Upload module, but the user did not have permission.
+    return -1; // Deny access to the file (overrides what any other modules say, if multiple modules handle this file)
   }
+  // else: File is not handled by the Upload module.
 }
 
 /**