@luckow I think the feature is still "experimental" per the docs - This solution is currently still in testing you could experience performance issues.
The second solution listed in the section suggests enabling "Enable higher security image uploads". I can confirm that option works. Since, we enable .htaccess in the apache configs, directory indexes are disabled as well.
I think if people still want local_secure, they can always fix up env as required but there's probably a reason that the upstream does not use this as the default.
BTW: kind of same behaviour for nextcloud.
There is a UID in the user settings, which you can only see with /app/code/occ user:setting in the terminal.
And because I switched from internal Cloudron LDAP to an external LDAP I got a new UID for all my users. The strange behavior from nextcloud is:
Login with user:pass works. (the schema is firstname.lastname as username).
But internally nextcloud adds a _RANDOMNUMBER to it.
In my case a stephan.luckow is internally changed to stephan.luckow_3096
Problem is: all my calendar entries are based on stephan.luckow_3096 and not on stephan.luckow.
I have updated bookstack package to support optional cloudron authentication. If you do a fresh install, you will get the option to install without cloudron auth. After that, you can enable external registration.