Currently the installation document/README just says add URLs to your Django. No issues with this part. What is not specified here is that the URL /martor/markdownify/ now becomes "public". By itself, it is not a problem. There maybe many "mitigating" circumstances such as ALBs that don't allow /martor/ URLs and such. But, if someone were to just directly deploy this without reading the code, they have unintentionally exposed an unauthenticated URL.

Either we should call it out explicitly in the README, or better yet, there should be no reason for the function markdownfy_view to not have the login_required decorator which all the other functions have.