For this you need to keep in mind also the rights on the directory itself
The above is part of a custom script that I wrote which gives me fine control over user rights.
Additionally as you mentioned the user has to be able to access the files given the rights on the file/dir
comment = System Backup Images
path = /mnt/downloads/backups
hosts allow = 10.0.1.0/24
read only = Yes
browsable = No
guest ok = No
force group = domainadmins
force user = root
create mode = 0660
directory mode = 6770
write list = @domainadmins
read list = @domainusers
This is a private share that only admins can access and normal users can not. Note that I am using samba with a group setup to achieve this.
For successful usage say we have the groups defined above, the owner of said directory is root (www-data in your case). The group would be domainadmins and the chmod to use would be the private set. Note that one is for files, the other for folders.
Once that is done and you have groups going you should be fine. I'm sure this could be achieved another way but groups are very useful in my environment so that is what I went with.