i managed to grab ALL attachment with the GET API
But wouldn’t be a concerns
No row security, what if i only want the GET list user to access to specific attachment (e.g. category is “NOT HR” or “not uploaded by director”)
From the screenshot, we can pull the “url” actual link (e.g. “http://localhost:1337/uploads/sample_cbd721d930.pdf”) it’s a fixed url, which mean i can pass it to someone not within the orgianization, they can jz simply access the content?
Based on the 2 concerns above, how can strapi protect the content (with only authenticated access)