Access denied for anonymous users clicking on download link

same problem and actually no solutions... please someone check this bug...

I am having the identical issue right now - please help!

update:
It seems that the failure originates from here in the the file_entity.pages.inc file:

/**
 * Menu callback; download a single file entity.
 */
function file_entity_download_page($file) {
  // Ensure there is a valid token to download this file.
  if (!variable_get('file_entity_allow_insecure_download', FALSE)) {
    if (!isset($_GET['token']) || $_GET['token'] !== file_entity_get_download_token($file)) {
      return MENU_ACCESS_DENIED;
    }
  }

  // If the file does not exist it can cause problems with file_transfer().
  if (!is_file($file->uri)) {
    return MENU_NOT_FOUND;
  }

  $headers = array(
    'Content-Type' => 'force-download',
    'Content-Disposition' => 'attachment; filename="' . $file->filename . '"',
    'Content-Length' => $file->filesize,
    'Content-Transfer-Encoding' => 'binary',
    'Pragma' => 'no-cache',
    'Cache-Control' => 'must-revalidate, post-check=0, pre-check=0',
    'Expires' => '0',
    'Accept-Ranges' => 'bytes',
  );

  // Let other modules alter the download headers.
  drupal_alter('file_download_headers', $headers, $file);

  file_transfer($file->uri, $headers);
}

When I do this I get nothing back:

<?php
   $token = variable_get('file_entity_allow_insecure_download', FALSE);
   dpm($token);
   dpm(get_defined_vars());

update #2

Adding this to settings.php seems to be making an impact:

$conf['file_entity_allow_insecure_download'] = TRUE;

Maybe the variable is just not set anywhere in the module?

file_entity_access() allowed anonymous users to view files but not download them. Attached patch applies view permissions to download as well.

@Darren Oh: This is why there are permissions for downloading the files.

The real problem here is our use of ip_address() for the anonymous token. I realized why do we even care if anonymous users share a download like to a file? If one anonymous user can download, they all should pretty much be able to. The condition we really care about is logged-in users sharing download links between other users than may not have access to those files (or anonymous users). This case should be covered already.

So here's my fix to the token generation, which is to remove the identifier for anonymous users, and add the filesize and filemtime, which means the token would be regenerated for anonymous users only if a file has changed.

Testing requires the token to be generated from a plain string.

Fixed test to use modification time and file size.

Thank you @Darren Oh! We are testing this patch on a live site now and I will report back.

I've applied the patch from #9 to a live site a and it absolutely fixed the problem, many thanks @Darren Oh.

Sorry for the delay - yes - it works just great!

Set correct status.

Committed to http://drupalcode.org/project/file_entity.git/commit/d23fcf8.

My field is simply not showing for annon users, even after applying #9. I wonder if this issue is related, checked permissions but still can't get the field to render if I'm not logged-in.

Solution #2 works for me, but I worry that it leaves some giant security hole in my drupal install.

I don't see the changes in the latest 7.x 2.x-dev on 20141203.

Edit: Cancel that, I found this issue: https://www.drupal.org/node/2267483