Can you tell how (or if) they are logged in?
Is there a SESSION set that you can check?
Meanwhile, you can serve them the PDF file
without revealing the path or filename.
The log-in check would be at the top of this script ...
This script has to run without anything outputted (echoed) to the display,
// check for the correct SESSION set here.
// you would actually read-in some sort of code from a link or form,
// cross-reference that code with the real PDF path/filename,
// and then serve it to the user.
// for this example, manually enter one of your real PDF path/files ... just for testing.
// what you want the user to see ... name of the PDF that gets served.
$filename = "YourPDF.pdf";
or you'll get a "header already sent" error.