As I work more and more with ERPNext getting used to it for our organization and making sure its a good fit (I think it is amazing) I still need to make sure its a robust and secure system as it is one that handles very sensitive information such as social security info, address, bank info etc.
The issue I found was attached documents to users(or anthything for that matter)
It uploads them as the filename (ex. contact.doc) so then the URL attached to the user is erp.mywebsite.com/files/contact.doc
The issue is this URL can be relatively easy to guess and is accessable to download from un authenticated users. I copied the URL to another browser and the download began immediately.
I think the best solution would be no access unless logged in or authorized. Or at the very least rename the file to some random hash.doc/pdf/filename.
Please let me know what you think, if there is some setting somewhere I missed that could be the issue too
Thanks again for your support and such great software.