That's a "can't do it this way" specification. What is allowed? How are you expecting to authenticate the users, then authorize them? What mechanisms are you permitting?

If you just want to share a directory with some of your friends, give it an obscure name and don't link to it. For real security, change the name of the directory daily.

If that's an insufficient solution, then please define what you do want to do, not what you don't want to do.

-- Randal L. Schwartz, Perl hacker