Can files be kept private on Grav?

Although there are advantages to a flat file system. I have to wonder about keeping anything private. Can anybody get to files on grav, just by the URL?

I’m also interested in this. Following.

@walterbyrd, @marcocevoli Although I’m not that well versed in .htaccess, I think (and correct me if I’m wrong) the following snippet will block all sorts of file types in the /user tree and also all *.md files anywhere in your site:

# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]

I had to write a little plugin that looks at a pages frontmatter, and if it contained “private_content: true”, then it is hidden from the archive page creation and if someone were to access it via a url (i.e. someone shared a link) it returns the 404 page. I am still working on the part of the plugin that allows access to the content should a privileged user access the content.