thing is, there IS a transfer protocol, there are just no controls on the files. If you can log in, there is just passing security.

Just take a step back and think what you could do if it were a protocol:

- limit visible files

- limit access to files by user

- make access strictly read-only

- allow upload-only (sort of a dropbox)

- clear separation between login access and file access

- remove login user from the whole mess

- trivially tie in as a filesystem.

etc...