Deny access to PDF files for unauthenticated users

(cherry picked from commit adbca0d3)

CHANGELOG.rst

@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file.
 The format is based on `Keep a Changelog`_,
 and this project adheres to `Semantic Versioning`_.
 
+`3.1.7`_ - 2025-01-18
+---------------------
+
+Fixed
+~~~~~
+
+* Not-logged in users were able to access all PDF files.
+
 `3.1.6`_ - 2024-06-27
 ---------------------
 
@@ -1246,3 +1254,4 @@ Fixed
 .. _3.1.4: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.4
 .. _3.1.5: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.5
 .. _3.1.6: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.6
+.. _3.1.7: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.7

aleksis/core/schema/__init__.py

@@ -131,9 +131,9 @@ class Query(graphene.ObjectType):
 
     def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
         pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and not info.context.user.person == pdf_file.person:
-            raise PermissionDenied()
-        return pdf_file
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
+            return pdf_file
+        return None
 
     def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
         indexed_models = UnifiedIndex().get_indexed_models()