Deny access to PDF files for unauthenticated users

(cherry picked from commit adbca0d3)

CHANGELOG.rst

@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file.
 The format is based on `Keep a Changelog`_,
 and this project adheres to `Semantic Versioning`_.
 
+`3.2.2`_ - 2025-01-18
+---------------------
+
+Fixed
+~~~~~
+
+* Not-logged in users were able to access all PDF files.
+
 `3.2.1`_ - 2024-06-27
 ---------------------
 
@@ -1255,3 +1263,4 @@ Fixed
 .. _3.1.5: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.5
 .. _3.2.0: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.0
 .. _3.2.1: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.1
+.. _3.2.2: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.2

aleksis/core/schema/__init__.py

@@ -131,9 +131,9 @@ class Query(graphene.ObjectType):
 
     def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
         pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and not info.context.user.person == pdf_file.person:
-            raise PermissionDenied()
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
             return pdf_file
+        return None
 
     def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
         indexed_models = UnifiedIndex().get_indexed_models()