I'm starting to generate contents, uploading images and writing articles, no post has public status yet. But if a anonymous visitors uses the Search tool (widget or /?disp=search) typing just "a" would show a list of all media that I uploaded.

I thought whether files/images are findable via search is set in Features >Other displays > Search Results on v6.10.8

On my 7.0.0 site I've just put images in a /media blog, the site it was empty before that, just a basic default setup?
Searching in doesn't find any of the images by file name that I've just put there, even with files searchable,

That happens I guess because the media files area public a priori / by default and thats ok (well maybe not always ok).
I would have thought that the permissions would be set that only the server can access the media via an server script not a plain url

Hi amoun,
I didn't try the v7 yet, I'll wait some more time as It seems there are a lot of changes going on, I'll probably try the first beta.

I see your point about the search options, but that would block all instances in any case and that's surely not what one would want.
BUT... look at the weights, maybe if we have a strong negative weight for the "not public" ones these could potentially not even appear on results? That would be cool! Just an idea.

Having thoughts to your notice of access I have just modified my .htaccess in the media folder to stop external referrals to my media folder, it won't stop via the search though.

# We don't want any PHP execution in this folder! (Prevent direct invocation of PHP files)
<IfModule mod_php5.c>
	php_flag engine off
</IfModule>

<IfModule mod_rewrite.c>
	RewriteEngine On

	# Redirect any _evocache file that does not exist to generate new by htsrv/getfile.php:
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{QUERY_STRING} mtime=(\d+)
	RewriteRule ^(.+/[_\.]evocache/.+/([a-z0-9\-]+)\.[a-z]{3,4})$ /htsrv/getfile.php?abspath=$1&size=$2&mtime=%1 [L]
	
       # ADDED the following 4 lines to stop external referrals
	RewriteEngine On
	RewriteCond %{HTTP_REFERER} !^https://(.+\.)?calstock\.org\.uk/ [NC]
	RewriteCond %{HTTP_REFERER} !^$
	RewriteRule .*\.(jpe?g|gif|bmp|png|jpg|tif)$ https://calstock.org.uk/favicon.ico [L]
	
</IfModule>

Files (Images) should theoretically only be shown if they are attached to a post that the user is allowed to see.
Seems not to be the case.

I ftp the images so they are available via the url

As my media files are embedded in the post text as html tags if I change permissions for the media folder to block access it would also stop them showing in the posts as the post uses urls.

I'm thinking about it but busy preparing beds for crops, so bye for now.

@theking Hello, we fixed the bug in commit https://github.com/b2evolution/b2evolution/commit/2f7ca90a6b256a54407184792281ee7329c6dbde, thank you for the report.

You're welcome, thank you for the feedback!