Hello Gibbon team,
I have noticed a potential security and privacy concern regarding uploaded documents in Gibbon.
When users upload personal documents (such as ID cards, birth certificates, residency documents, etc.), the files appear to be stored under a direct URL. Once the URL is known, the document can be accessed directly without requiring authentication or an active user session.
The filenames are randomized and difficult to guess, which reduces the likelihood of discovery. However, the URLs do not appear to expire and remain accessible even after logout. This means that if a document URL is exposed through browser history, shared devices, logs, backups, screenshots, or another unintended disclosure, anyone with the link may be able to access the file.
My concern is that schools may store sensitive student information in these uploads, and direct unauthenticated access could create confidentiality and privacy risks if a URL is leaked.
I am not reporting a method to enumerate or discover files, only that documents remain publicly accessible through their direct URL once that URL is known.
Is this the expected behavior, or are there recommended approaches to ensure uploaded personal documents require authentication before they can be viewed?
Note: The screenshots attached use sample/demo documents and do not contain any real student information. They are included only to demonstrate the behavior observed.
Thank you.
