Media files are publically available without access control
We got the following report in the forum:
I have a private funkwhale instance running. Anonymous access is disabled. I don't want anybody to be able to access my music libary. However, I can open the direct link to the media file (e.g. https://funkinstance.example/media/tracks/fc/65/3e/myfile.mp3) on any device without being logged in. Is there a way to disable this? Is seems like a security risk to me.
Link: https://forum.funkwhale.audio/d/313-media-files-publicly-accessible
I deleted the thread for now to avoid exposing the vulnerability.
I did confirmed the same behavior on open.audio while @JuniorJPDJ tested his instance, too.