Hi, thanks for the response. For Mosets Tree, I tried adding every combination (at the same time) of the URL that I'm trying to restrict, so the URL box now looks like this:
option=com_mtree&task=viewlink
option=com_mtree&task=viewlink&Itemid=15
option=com_mtree&task=viewlink&link_id=3
option=com_mtree&task=viewlink&link_id=3&Itemid=15
(I don't actually want to restrict "task=viewlink" on its own, this is just for demonstration)
But I can still access the item by navigating to
http://mysite/index.php?option=com_mtree&task=viewlink&link_id=3
Whenever the links are creating by the component, they are appended with the itemid, so the security works on all of the links on my page. I'm just worried about savvy users recognizing the link, taking out its itemid, and getting free access. Blocking access to Mosets Tree as a component works for keeping the public out of all of these links (even if they try to modify the url) but if someone is a member of let's say a 'silver' plan that can access mosets tree but not all of its listings, they would be able to view 'gold' listings by removing the Itemid.
I guess for the most part it works, but I'd still always be worried about someone figuring this out.
Perhaps there is a way to code security into the component itself to reject any URL that doesn't contain an Itemid?