My consumer has a Members Portal the place members are in a position to add recordsdata (certificates and the like). These recordsdata get stashed right into a customized folder however are in any other case meant to be personal. IIRC they use a customized plugin for this.
At present I uncover {that a} file that’s uploaded to /user-uploads/some/path/to/mangled-filename.pdf will imply a request for http://web site.com/mangled-filename will return a html web page with filename and the consumer’s identify, and can look one thing like this:
That is very a lot not wished.
Close to as I can determine, the customized plugin is including the uploaded file into the Media Library after which producing pages to match. (I’ve put a .htaccess block on the /user-uploads/ listing).
What is likely to be occurring right here, and the way would I flip this off?
