I noticed that accessing directly an uploaded image/attachment (i.e. https://wekan.example.com/cfs/files/attachments/WketAqrSi5oeZEiFA/picture.jpg) works even for unauthenticated/unauthorized clients - i guess that for someone this might be quite a serious security breach allowing to easily expose to the public (just share the links). Shouldn't wekan require users to be authenticated/authorized when accessing files?

Also a quick question: a brief search didn't reveal to me where wekan stores uploaded files/images. Are these stored directly in mongo? Thanks, P.