From 919e875903f3f04d887476f38b972882f4bc426f Mon Sep 17 00:00:00 2001 From: Jonathan Weth <git@jonathanweth.de> Date: Sat, 18 Jan 2025 12:22:19 +0100 Subject: [PATCH] Deny access to PDF files for unauthenticated users (cherry picked from commit adbca0d344581f9e567963bed8daee2d6df0de02) --- CHANGELOG.rst | 9 +++++++++ aleksis/core/schema/__init__.py | 6 +++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 3267466e1..8758d42c9 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file. The format is based on `Keep a Changelog`_, and this project adheres to `Semantic Versioning`_. +`3.2.2`_ - 2025-01-18 +--------------------- + +Fixed +~~~~~ + +* Not-logged in users were able to access all PDF files. + `3.2.1`_ - 2024-06-27 --------------------- @@ -1255,3 +1263,4 @@ Fixed .. _3.1.5: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.5 .. _3.2.0: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.0 .. _3.2.1: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.1 +.. _3.2.2: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.2 diff --git a/aleksis/core/schema/__init__.py b/aleksis/core/schema/__init__.py index a11fbb427..229ba34e9 100644 --- a/aleksis/core/schema/__init__.py +++ b/aleksis/core/schema/__init__.py @@ -131,9 +131,9 @@ class Query(graphene.ObjectType): def resolve_pdf_by_id(root, info, id, **kwargs): # noqa pdf_file = PDFFile.objects.get(pk=id) - if has_person(info.context) and not info.context.user.person == pdf_file.person: - raise PermissionDenied() - return pdf_file + if has_person(info.context) and info.context.user.person == pdf_file.person: + return pdf_file + return None def resolve_search_snippets(root, info, query, limit=-1, **kwargs): indexed_models = UnifiedIndex().get_indexed_models() -- GitLab