Merge branch 'master' into 'master'

Fix security issue Closes #1180 See merge request !1692

Merge branch 'master' into 'master'
17a14979 · Jonathan Weth · acce2ce3 · adbca0d3 · 17a14979 · 17a14979
Commit 17a14979 authored 1 month ago by Jonathan Weth
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -96,6 +96,7 @@ Fixed
 * Update and fix URLs for 3rdparty login.
 * The OpenID Connect Discovery endpoint now returns the issuer data directly
  under the URI without a trailing `/`.
+* Not-logged in users were able to access all PDF files.

 Removed
 ~~~~~~~

--- a/aleksis/core/schema/__init__.py
+++ b/aleksis/core/schema/__init__.py
@@ -246,9 +246,9 @@ class Query(graphene.ObjectType):

    def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
        pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and info.context.user.person != pdf_file.person:
-            return None
-        return pdf_file
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
+            return pdf_file
+        return None

    def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
        indexed_models = UnifiedIndex().get_indexed_models()