Diffusion raw file links are public

I use Phabricator.
Versions:
image
I realised that if I go to Diffusion, and open a file (any file) in a repository and click Raw File then it generates a link that can be opened even if I am not logged in.
I consider it a security risk. Does anyone know how to disable this feature (or solve this bug)?
Many thanks.

This is intentional, explicit behavior and can not be disabled.

See https://secure.phabricator.com/T10262 for discussion.

I consider it a security risk.

If you can develop a plausible attack based on this risk, you can report it via our HackerOne program. This attack would be valuable because it would likely be eligible for bounties from Facebook, Google, Trello, GitHub, Bitbucket, Asana, and Pivotal, all of which use the same resource delivery strategy (cacheable resources with a unique URL hash).