Module bypass any access control!
I have update my ckeditor to http://ftp.drupal.org/files/projects/ckeditor-7.x-1.4.tar.gz
There is an option:
"Enable access to files located in the private folder
Use this option with care. If checked, CKEditor will allow anyone knowing the URL to view a file, if it located inside of the private path (sites/default/files/private) and if there is no information about the file in the Drupal database."
If i uncheck this then i cant download anything from private file system even i am user 1.
But when i check this option i am able to download it from even that account have not access to node from file is.
so please remove this feature or make it to work with other modules.