I'm wondering if it's possible to block direct access to the files. That is, if a document is set "private" and I use the WP Document Revisions-generated URL, it works fine.
But, I am still able to download the file directly using the direct URL. Something like:
Anyone can download the file this way.
In your doc, you note:
"For additional security, you can move the document upload folder above the web root, (via settings->media->document upload folder)."
This option is not available via Multisite.
Do you have any advice?