Deny access to PDF files for unauthenticated users

(cherry picked from commit adbca0d3)

Deny access to PDF files for unauthenticated users
919e8759 · Jonathan Weth · 067c4aa0 · 919e8759 · 919e8759
Verified Commit 919e8759 authored 5 months ago by Jonathan Weth
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -6,6 +6,14 @@ All notable changes to this project will be documented in this file.
 The format is based on `Keep a Changelog`_,
 and this project adheres to `Semantic Versioning`_.
+`3.2.2`_ - 2025-01-18
+---------------------
+Fixed
+~~~~~
+* Not-logged in users were able to access all PDF files.
 `3.2.1`_ - 2024-06-27
 ---------------------
@@ -1255,3 +1263,4 @@ Fixed
 .. _3.1.5: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.1.5
 .. _3.2.0: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.0
 .. _3.2.1: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.1
+.. _3.2.2: https://edugit.org/AlekSIS/official/AlekSIS-Core/-/tags/3.2.2
--- a/aleksis/core/schema/__init__.py
+++ b/aleksis/core/schema/__init__.py
@@ -131,9 +131,9 @@ class Query(graphene.ObjectType):
    def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
        pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and not info.context.user.person == pdf_file.person:
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
-            raise PermissionDenied()
+            return pdf_file
-        return pdf_file
+        return None
    def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
        indexed_models = UnifiedIndex().get_indexed_models()