diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index dd56597f74a88d406720973a87367dee27a8525f..dc7c752ff268741a1b40af875d2f736d66bb5fbe 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -96,6 +96,7 @@ Fixed
 * Update and fix URLs for 3rdparty login.
 * The OpenID Connect Discovery endpoint now returns the issuer data directly
   under the URI without a trailing `/`.
+* Not-logged in users were able to access all PDF files.
 
 Removed
 ~~~~~~~
diff --git a/aleksis/core/schema/__init__.py b/aleksis/core/schema/__init__.py
index 1b5b71f30d7345d9ca26c017ae9f36ee1bd3fb34..696e2867e85219523041d21c9172422c1f577b05 100644
--- a/aleksis/core/schema/__init__.py
+++ b/aleksis/core/schema/__init__.py
@@ -246,9 +246,9 @@ class Query(graphene.ObjectType):
 
     def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
         pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and info.context.user.person != pdf_file.person:
-            return None
-        return pdf_file
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
+            return pdf_file
+        return None
 
     def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
         indexed_models = UnifiedIndex().get_indexed_models()