Defuse Direct Object References

We are currently using primary keys of database object in our URLs. So an adversary can easily guess the URL of an object. Most of them should be authenticated, so that should not be a problem.

However, we might miss cases where it actually is a problem. An example for this are be user repos in a default storage location. It should be possible to find and access other people's published repos this way.