I have created a “file” metafield as an ORDER metafield.
I want to attach externally generated PDF files (e.g. invoices) to this metafield (=to the order), and use a .liquid template to display a list to the loged in userd, listing their orders and the respective files.
This is all fine and working well.
BUT i noticed, that the “downloadable” files are all sitting on a CDN and no restriction applies to those files. Everybody can download them, logged in or not.
edit: this here is a simmilar case: https://community.shopify.com/c/shopify-discussions/shopify-files-accessible-to-anyone/m-p/2235936/highlight/true
I would expect that all Order related information is only accessible to the logged-in user - but in this case, it is not like this.
In a scenario, where i would give my PDF files a sequence (0001.pdf, 0002.pdf) -any half-brained user can just guess the download URLs and access everybodys files, not just their own.
Alas a long talk to the Shopify support only resulted in a tip on how to structure my .liquid file. This is not part of the problem as i see it - which is that their CDN just puts all files in the open without any restrictions. (please correct me if i am wrong here)
How to pevent this? How can I make sure, that files of a File ORDER-Metafield are actually restricted to the ordering account?
