Document that sensitive files should not be uploaded to directus

[jstet]

One apparently has to enable this to have access to files that are linked in other Collections. Or this there another way?

[KonradUdoHannes]

Are there pain points/risks associated with this? In particular are there currently/planned files on directus that should not be available via public access? Is described use case relevant, i.e. the following

• have a private collection
• have that private collection used in a public collection

Conceptually this sounds like a tough problem to solve and maybe understanding what needs to be private will help with solution design.

[jstet]

I would just introduce the policy to not upload files on directus that are not meant to be public @friep

[friep]

agree. we should not use directus for sensitive file storage anyway. the only files (as in pdfs... ) that come to mind that might be uploaded are materials like the Geschäftsordnung of the ethics committee etc. that are supposed to be public.

if this is a need that arises more consistently we could still introduce fields like "drive_folder" or "nextcloud_folder" that gives ability to link to storage locations

todo: document this policy

[KonradUdoHannes]

Generally it would also be possible to change all the svelte API requests to happen server side, where an access token could be provided securely for non-public directus data. We can keep it in mind as an option, but it definitely simplifies development if we don't have this constraint.

[jstet]

documented this on gitbook