My version of CodiMD is:
What I expected to happen:
when I upload a file, I hoped that I can hold everything within my domain: the serving, the uploads and the user authentication. I also hoped that I could handle the authorization of content within my user group (school, DSGVO, protection of the young, no opt-in from parents desired)
What actually happened:
Everything so far works as I found out. Except uploads are world readable, even if the content is not.
I already tried:
- use LDAP to authenticate, which works
- use “no guests” which works
- use “filesystem” as storgage, which works
I admit, the upload-URLs are pretty hard random, but still it is pretty easy for everyone with read-rights to post an URL into the world (whatsapp, e.g.) pointing to the uploaded file.
So in summary: You have done a great job. This is an amazing tool.
What do you think of my perspective: is it too protective? would it be hard to make the uploads no-guest readable?