Documentation: Add documentation about setting 'block_my_files_access' to security.html

Author: ywarnier

documentation/security.html

@@ -197,7 +197,27 @@ <h2><a id="7.Direct-web-access">Direct web access to files</a></h2>
     this way (there is an exception for that). We believe that these resources
     do not contain confidential information. If you *DO* have confidential
     information in images, CSS or JavaScript files, you will need to update
-    these rules to suit your needs.
+    these rules to suit your needs.<br />
+    <br />
+    <h3>Access to "personal" files</h3>
+    In Chamilo 1.*, it is possible to upload files to one's "personal" folder
+    through the social network page, or through any upload popup that allows
+    you to choose the file destination (and you select your personal folder).<br />
+    <br />
+    Due to the development background in Chamilo, these files are then directly
+    accessible by anonymous users, which can lead to personal data leaks. This
+    has been left in this mode by default because many teacher users had used
+    this option to share common images between different courses and blocking
+    the feature would have meant public courses would not have shown the given
+    images.<br />
+    <br />
+    To avoid this issue and make files accessible *only* to authenticated users,
+    please set the following option to 'true' in configuration.php:<br />
+    <br />
+    <pre>
+    $_configuration['block_my_files_access'] = true;</pre>
+    This will prevent anonymous access, but will not prevent access from other
+    authenticated users.
     </p>
 
 <h2><a id="8.Disable-webservices">Disable webservices</a></h2>