I've noted that the module can generate redirects to file attachments to which a user doesn't have sufficient permissions to access.

In our configuration we're using private files, and we're relying upon content revisions of which the most current revisions are likely to be unpublished. In a very simple test, I created a content type with a single file field, and designated that field as the file field for the Attachment Links. Next, I create a node using that content type, added a file attachment, and saved it as published. Then I edited the node, replaced the file attachment, and saved a new revision as unpublished.

When, as an anonymous user, I visit the attachment using either the 'preferred version' or the 'newest version' links, I receive a 403 Forbidden response code. When I trace the http traffic between the client and the server, it appears that the server is attempting to perform a redirect to the unpublished version of the attachment.

Wouldn't the proper behavior be to redirect the user to the attachment version to which the user has permission to access (at the very least, a 'published' version)? Or, is this a use case which falls outside of the intended model?