diff --git a/copyparty/authsrv.py b/copyparty/authsrv.py
index 481f2d4b..19887e38 100644
--- a/copyparty/authsrv.py
+++ b/copyparty/authsrv.py
@@ -33,6 +33,7 @@ from .util import (
     uncyg,
     undot,
     unhumanize,
+    vsplit,
 )
 
 if True:  # pylint: disable=using-constant-test
@@ -790,7 +791,7 @@ class AuthSrv(object):
         self.grps: dict[str, list[str]] = {}
         self.re_pwd: Optional[re.Pattern] = None
 
-        # all volumes ever seen (from current or previous runs)
+        # all volumes observed since last restart
         self.idp_vols: dict[str, str] = {}  # vpath->abspath
 
         # all users/groups observed since last restart
@@ -889,6 +890,8 @@ class AuthSrv(object):
             src, dst = self._map_volume(src, dst, mount, daxs, mflags)
             if src:
                 ret.append((src, dst, un, gn))
+                if un or gn:
+                    self.idp_vols[dst] = src
 
         return ret
 
@@ -1352,6 +1355,8 @@ class AuthSrv(object):
         mflags: dict[str, dict[str, Any]] = {}  # moutpoint:flags
         mount: dict[str, str] = {}  # dst:src (mountpoint:realpath)
 
+        self.idp_vols = {}  # yolo
+
         if self.args.a:
             # list of username:password
             for x in self.args.a:
@@ -2001,6 +2006,17 @@ class AuthSrv(object):
         except Pebkac:
             self.warn_anonwrite = True
 
+        idp_err = "WARNING! The following IdP volumes are mounted directly below another volume where anonymous users can read and/or write files. This is a SECURITY HAZARD!! When copyparty is restarted, it will not know about these IdP volumes yet. These volumes will then be accessible by anonymous users UNTIL one of the users associated with their volume sends a request to the server. RECOMMENDATION: You should create a restricted volume where nobody can read/write files, and make sure that all IdP volumes are configured to appear somewhere below that volume."
+        for idp_vp in self.idp_vols:
+            parent_vp = vsplit(idp_vp)[0]
+            vn, _ = vfs.get(parent_vp, "*", False, False)
+            zs = "READABLE" if "*" in vn.axs.uread else "WRITABLE" if "*" in vn.axs.uwrite else ""
+            if zs:
+                t = '\nWARNING: Volume "/%s" appears below "/%s" and would be WORLD-%s'
+                idp_err += t % (idp_vp, vn.vpath, zs)
+        if "\n" in idp_err:
+            self.log(idp_err, 1)
+
         self.vfs = vfs
         self.acct = acct
         self.grps = grps
diff --git a/docs/TODO.md b/docs/TODO.md
index ce73b281..befcedf4 100644
--- a/docs/TODO.md
+++ b/docs/TODO.md
@@ -9,7 +9,6 @@ a living list of upcoming features / fixes / changes, very roughly in order of p
 
 * [github issue #62](https://github.com/9001/copyparty/issues/62) - IdP / single-sign-on powered by a local identity provider service which is possibly hooked up to ldap or an oauth service
   * persist autogenerated volumes for db-init + nullmapping on next startup (`_map_volume` += `only_if_exist`)
-  * sanchk that autogenerated volumes below inaccessible parent
 
 * download accelerator
   * definitely download chunks in parallel