Unauthenticated access to private files on app.fizzy.do via Active Storage URLs leads to information disclosure

# Unauthenticated access to private files and previews via Active Storage URLs (IDOR) ## Description While testing the application at fizzy.do domain asset into https://app.fizzy.do/ subdomain file uploads, I noticed that files and file previews served through Active Storage can be accessed directly via their URLs, without any authentication or authorization checks. These URLs remain accessible to other users and even to unauthenticated visitors, which allows access to private attachments outside the intended application flow. ## Steps to Reproduce 1. Log in as User A 2. Upload a file to a card 3. View the uploaded file so the preview or download link is rendered 4. Copy the Active Storage URL from the browser (e.g., image preview or download link) 5. Open a new browser session without authentication (or log in as a different user) 6. Paste the copied URL into the address bar ## Impact The file or preview is displayed successfully, even though the user is not authenticated or authorized to access the original resource. The issue does not require guessing or brute-forcing URLs. The application exposes these URLs during normal usage (e.g., in HTML markup and browser requests). The same behavior was observed across multiple file types, including PDFs, images, text files, and HTML files. Note: This appears to be a configuration or design issue rather than a problem with Rails itself, and fixing it would help ensure that private attachments are only accessible within the intended permission model.