With some server configurations it is not possible to have the attachment directory outside of the web server's path.
In other cases You might want to allow Your staff to browse the attachment directory online, but restrict everyone else.
Using .htaccess and .htpasswd we can have a directory tree listing that's password protected.
create a .htaccess file in your attachment directory like this one:
Options +Indexes
IndexOptions FancyIndexing NameWidth=* SuppressDescription FoldersFirst IgnoreCase
AuthUserFile /Your/DocumentRoot/./Your/PublicPath/uploads/.htpasswd
AuthName "UploadDir"
AuthType Basic
<Limit GET POST PUT>
require valid-user
</Limit>
create a .htpasswd file using a (.htpasswd generator) in your attachment directory:
staff-your-own-password
The above creates a login prompt:
username: staff
password: ****
Use a (.htpasswd generator) to create your own username/password
You can now access Your attachment directory online.