This is a follow-up issue of PRESIDECMS-1188.
It seems there is one missing piece. If having a generated download link to an asset anywhere in the Preside admin, it will not take permissions into account but simply let the user download that asset straight away (even though "download" permissions are denied for the folder in which this asset lives).
It would be awesome if this would be fixed asap as it looks to me like a security issue.
An idea could be that it would just not download the asset and show a messagebox error instead stating that the user has insufficient permissions to download the asset.