docs: Do not expose media directory

[maxtruxa]

Description

Do not instruct users to expose the media directory unprotected. This is unsafe and as far as I can tell not necessary for normal operation of a Papermerge instance.

Serving the media directory straight through the webserver circumvents all access controls present in the web frontend and the REST API, leaving user data unprotected. Anyone who gets access to a valid document link can access that document. If the user's webserver has directory listings enabled, this turns into a complete disaster, as all files are immediately discoverable and accessible.

My only guess is, that this might have been required in previous versions of Papermerge?

Type of change

• [x] This change requires a documentation update

How Has This Been Tested?

n/a

Checklist:

• [x] I have read the Contributing file available here
• ~I have formatted this PR according to PEP8 rules~
• ~I have commented my code, particularly in hard-to-understand areas~
• ~I have made corresponding changes to the documentation~
• ~My changes generate no new warnings~
• ~I have added tests that prove my fix is effective or that my feature works~
• ~New and existing unit tests pass locally with my changes~

[ciur]

Thank you for opening this pull request. I will review it and come back with feedback.

[ciur]

This PR is not relevant anymore. Papermerge now is deployed only via docker images.