Deliver some private files for some specific users only

For a small project I want some users (they already got a jwt with a specific role) to view files that all other users are not allowed to see.
So my plan is:

  • Create /top-secret-directory
  • add /top-secret-directory to admin.js/watchIgnoreFiles.
  • Create a GET controller for /api/get-me-my-secret-files with a JWT-Validation-Middleware.
  • Inside of the controller I access the files in /top-secret via fs (for example)

I assume - and that is also my question to you - by default the /top-secret-directory will not be accessible by anyone. Is this correct?
So are files inside there only accessible by strapi itself and all I have to do is deliver the secret files as response to requests of my “allowed users”.

Any help / insight would be from great help because my “nodejs-knowledge” is only earned from working with strapi. :slight_smile: