Full disclosure I am newer to the IPS platform, still trying to get some kinks worked out.
I have a concern as I have a forum category limited by only allowing topic creators to see the contents of each post. The purpose of this area is to allow each member to introduce themselves and share personal details. My concern is any attachments upload go into the default upload directory without any more then a randomized 32 char filename encryption. Whats mores-so daunting anyone can have access to "sniff" folder without being logged in (via entering the file URL in a new browser with no cookies / not logged in).
I checked SYSTEM -> FILES to see if there was a way to require isLoggedIn but either I'm blind or this function does not exist.
Can anyone point me in the right direction to securing the "uploads" of personal attachments?
NOTE: Simply changing the DIR is not a secure move for me, as the new directory is still vulnerable, and can be located by anyone hovering over any content uploaded to the site to see the new upload directory.
