I wouldn’t expose the files publicly, instead I would store them in a private location (outside of the web directory), create a Bundle and a Controller, and in the controller have an action which takes a file ID and looks up its access level from a database table. If the file is publicly accessible, serve it. If not, then make sure the user has permissions to view the file.

You just need to create a File entity, and a table which stores permissions for users or user roles against those files so that you can cross-check them upon request.

It will add some overhead to serving the files though, as a full Symfony2 request will need to take place, whereas serving files straight over apache or nginx won’t have the overhead of the framework stack.

Hopefully I’ve explained that well enough.

EDIT:

If you’re serving these images via the use of a token (e.g. via an email) then you can do something along the lines of the following…

Example Image src attribute: http://yourdomain.com/assets/12/TOKEN

This route config would look something like this (in YAML):

assets_serve:
    pattern: /assets/{id}/{token}
    defaults: { _controller: AcmeAssetBundle:Assets:serve }
    requirements:
        _method: GET

In your AcmeAssetBundle, you’ll have an AssetsController with a serve action:

class AssetController extends Controller
{
    public function serveAction($id, $token = null)
    {
        //fetch asset record from the database -- which also contains its file path
        //check the TOKEN matches the one stored against this image
        //set content-type headers and serve the image
    }
}