If you want to password protect the download, you need to decorate it:
@auth.requires_login()
def download():
...If you want to make sure only the owner can download it, you would need some additional code (db.uploads.created_by==auth.user_id).
