I was exporting a user database, and in the csv i could see the URL for all the files associated with my users, this means pictures, resumes etc.
I was shocked to see that logging out of knack the URL still worked! i even tried it on my wife's phone, the files were freely accessible if you had the URL!
Am I an idiot who havent ticked off a security feature, or can we only upload files that should be expected to be readable by anyone?