authorization does not prevent reading files in upload folder

[ramstein74]

Hi, I check the "authorization" check box. dpd.fileupload.get is not allowed to read the contents of upload folder but if i go to the url via browser i can open the uploaded files. It should be protected ? Can you encrypt the file name somehow? and save the real filename somewhere ?

[tenowg]

because the files are uploaded to a public directory, this would currently be expected behavior. If the files were uploaded to a private directory, and then streamed though node on a get, it would be possible with an img/picture tag pointing to the api, but this is not implemented.