we are using Tactic Community 4.4.0v02 on Centos 6.7.
We noticed that every uploaded asset is accessable via direct url to the file without any permission check. This means every one can access our uploaded files even without having a valid login for tactic.
If you just type the url: server/assets/projectname/assets/assetname/publish/filename.ext you can view or/and download the file.
I consider this to be a serious security aspect because we are using tactic not just within the internal network.
I tried to find information about this "feature" but wasn't very successful.
Did I miss something in the configuration? Is it possible to force a login to access this files?
URL to assets