From adbca0d344581f9e567963bed8daee2d6df0de02 Mon Sep 17 00:00:00 2001
From: Jonathan Weth <git@jonathanweth.de>
Date: Sat, 18 Jan 2025 12:22:19 +0100
Subject: [PATCH] Deny access to PDF files for unauthenticated users

---
 CHANGELOG.rst                   | 1 +
 aleksis/core/schema/__init__.py | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index dd56597f7..dc7c752ff 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -96,6 +96,7 @@ Fixed
 * Update and fix URLs for 3rdparty login.
 * The OpenID Connect Discovery endpoint now returns the issuer data directly
   under the URI without a trailing `/`.
+* Not-logged in users were able to access all PDF files.
 
 Removed
 ~~~~~~~
diff --git a/aleksis/core/schema/__init__.py b/aleksis/core/schema/__init__.py
index 1b5b71f30..696e2867e 100644
--- a/aleksis/core/schema/__init__.py
+++ b/aleksis/core/schema/__init__.py
@@ -246,9 +246,9 @@ class Query(graphene.ObjectType):
 
     def resolve_pdf_by_id(root, info, id, **kwargs):  # noqa
         pdf_file = PDFFile.objects.get(pk=id)
-        if has_person(info.context) and info.context.user.person != pdf_file.person:
-            return None
-        return pdf_file
+        if has_person(info.context) and info.context.user.person == pdf_file.person:
+            return pdf_file
+        return None
 
     def resolve_search_snippets(root, info, query, limit=-1, **kwargs):
         indexed_models = UnifiedIndex().get_indexed_models()
-- 
GitLab