I'm in the "keep it simple, stupid" camp. I'd have the normal URL invoke a CGI script to show the data, like

/path/to/the/message
[download]

but when your friend wants to edit it, adds ?mode=edit to the end of the URL:

/path/to/the/message?mode=edit
[download]

which invokes the same program, but the param is detected, and now a form comes out with two fields: the original text in a textarea, and a place for a password. When this form is submitted, it'll be returned to the same CGI program, which can check the password against a crypt() password included in the program, and if a match, updates the file and shows the new result. Code looks something like this:

use CGI qw(:all);
my $MESSAGE_LOCATION = "/path/to/file.txt";
my $CRYPTED_PASSWORD = "aaPwJ9XL9Y99E";
## this is from print crypt("hello", "aa"), so "hello" is the password

print header, start_html;

if (my $new_text = param('text') and my $password = param('password'))
+ {
  ## update mode... is the password good?
  if (crypt($password, $CRYPTED_PASSWORD) eq $CRYPTED_PASSWORD) {
    open F, ">$MESSAGE_LOCATION" or die;
    print F $new_text;
    close F;
    print h1('updated!'), p('The message was updated!');
  }
} elsif (param('mode') eq 'edit') {
  ## secret mode
  open F, $MESSAGE_LOCATION or die;
  my $message = join '', <F>;
  close F;
  print h1('edit the message');
  print start_form;
  print textarea('text', $message);
  print 'password: ', password_field('password');
  print submit('update');
  print end_form;
}
## always display the result:
open F, $MESSAGE_LOCATION or die;
my $message = join '', <F>;
close F;
print h1('Welcome to our info page');
print h2("Today's top tip:"), escapeHTML($message);
print end_html;
[download]

There. Whipped out quickly, so it might not fully work, but you can flesh out the details I hope.

-- Randal L. Schwartz, Perl hacker
Be sure to read my standard disclaimer if this is a reply.