@drjoeward,
Overall this comes with the delivered functionality.
Define your normal users as Contributors. When they upload documents, these are created as Private.
They can enter comments in the Excerpt field, but like WordPress comments are linked to the overall post, not the individual revisions.
Other Contributors can only see their own documents.
Contributors cannot publish documents, i.e. make them available to every one else.
Those with the Editor role can see (or update) all documents.
When you refer to folders, all uploads are done into the standard uploads folder – normally divided into year/month sub-folders.
The logical sub-division is done by assigning categories or tags to the items. Since the document is private and the access is determined before display, then your contributors will only see their own documents.
Access using the WordPress interface will give you the security required.
It is worthwhile to recap how documents are stored in the uploads directory. Each file is stored as a MD5-hash of the original file name abd the time it was uploaded. This means that a file called fred.pdf will be stored as a name like 6079663a66cd2eec4be39f8f5d57e003.pdf.
If you are able to guess that name (and possibility the month sub-directory) and enter that into your URL, then you will be able to bypass WordPress processing and download the file directly. The plugin takes some care to hide this hashed name from you. It is possible to update your .htaccess file to stop this if it is perceived to be a real problem.
Hope this is of use,
Neil James
