This is a general remark on the security of files stored in Frappe/ERPNext: any file that is uploaded is publicly available, i.e. if someone knows the URL, he/she can download it even without an account on the ERPNext instance. This could be considered a security issue. Public/private only applies to visibility within the system.
Would it be possible to restrict the file access, has this been considered before?
It would be possible to store files only on other cloud services such as NextCloud, …
Steps to reproduce:
- upload any file and mark it not public
- copy the file URL
- access from another session/machine, …
Actual behaviour: file is available
Expected behaviour: login into ERPNext required (and if the file is not shared with the logged in person, access should be blocked)