On a site with membership features enabled, you can set any page to be visible only to users who have logged in ("members"). We call these pages "private pages".

On a private page, you can put a link to a file, such as a PDF, and since the page is private, only people who have access to the page will be able to click that link.

However, should the link to that document be shared, perhaps by email or by posting to some other site, or if the site admin accidentally put the link on a public page, the document could be downloaded by anyone. If Google every accessed a page with the link, it could be in the Google index indefinitely, even if the link was later removed. So a brief mistake could result in a document being accessible via public search for an indefinite period.

Have no fear, we have a solution!

To increase the protection for private documents, we've added a new feature that will block access to selected files unless the person (the browser, really) accessing the file is logged in.

To set this up, you need to do two things:

1. Add a config setting with the name "security.acl.folder.default" and set the value to the role that is required to access this file (typically "member").
2. Put the file in a folder whose name starts with "secure_".