I wrote web application that has few access levels / groups (not logged in, worker, manager, admin).
For access control i used something similar to best answer here:
What is the best practice for restricting specific pages to logged in users only in Codeigniter?
Now i have to create download page that allows download only for groups which are allowed for specyfic file. Now i have links displayed only for allowed users, but I think I have to hide real file location somehow, because file URL is remembered by browsers and anyone can download file without any problems after logout.
You don’t link to the real file. You link to a script that uses an access token to validate, then passes the file. See this question:
PHP Pass File Handle to user so that file downloads & saves to their machine
Once downloaded you can either expire the token or just log how many times the user has downloaded and apply proper restrictions there.
Also, nest your files beneath web root or make sure you can’t directly access them wherever you choose to store them
And YES, CI does have a helper for download:
https://www.codeigniter.com/userguide3/helpers/download_helper.html