Access control for file serving

Authenticated user only for now

README.md

@@ -33,12 +33,12 @@ to deliver files and generate cached thumbnails.
 
 ## Important security note
 
-The file-serving endpoint is designed for convenience and caching and does NOT
-apply DokuWiki ACLs. Anything reachable through a configured root may be
-accessible to anyone who can access your wiki and guess/copy the generated URLs.
+The file-serving endpoint (`lib/plugins/luxtools/file.php`) runs inside DokuWiki
+and can enforce a simple access restriction based on the currently logged-in
+user.
 
-Only configure roots that contain non-sensitive data, or protect access on the
-webserver/network level.
+This is intentionally *not* full per-page ACL integration; it is a pragmatic
+allowlist to avoid “anyone with a guessed URL can fetch the file”.
 
 
 ## Installation
@@ -60,6 +60,13 @@ luxtools is configured via its dedicated admin page:
 
 Key settings:
 
+- **access_allow**
+  Allowed users/groups for the file-serving endpoint.
+  - Entries can be separated by newlines, commas, or whitespace.
+  - Use `@group` to allow a whole group.
+  - Leave empty to allow any authenticated (logged-in) user.
+  - Anonymous users are always denied.
+
 - **paths**
   Allowed base filesystem roots (one per line). Each root can be followed by:
   - `A> /Alias/` (optional) alias used in wiki syntax and open links
@@ -77,6 +84,10 @@ Key settings:
 
   `lib/plugins/luxtools/file.php?root=...&file=...`
 
+  Note: if you configure a `W>` web URL to an external file server, that server
+  must enforce access itself; DokuWiki ACLs and `access_allow` only apply to
+  `file.php`.
+
 - **scratchpad_paths**
   Scratchpad file map (one file path per line, followed by an `A>` alias line).