Restrict SOURCE_PDF access to admins across activity and document endpoints

[Copilot]

SOURCE_PDF documents were accessible to non-admin users via activity GET responses and the document info endpoint. This PR enforces admin-only access at both layers.

Changes

Activity GET responses

• ActivityController passes isAdmin(authentication) as includeSourcePdf flag for both GET /api/activities/ and GET /api/activities/{id}
• ActivityService.mapToResponse() filters out SOURCE_PDF documents when includeSourcePdf=false

DocumentsController — download endpoint

• enforceDownloadAccess() throws AccessDeniedException for non-admins attempting to download SOURCE_PDF documents

DocumentsController — info endpoint (new protection)

• GET /api/documents/{documentId}/info now also calls enforceDownloadAccess(), preventing metadata leakage (filename, size, confidence score) to non-admins
• Added Authentication parameter and @SecurityRequirement annotation; re-throws AccessDeniedException to bypass the generic catch (Exception e) → 404 handler

// info endpoint now mirrors the download endpoint's access control
PDFDocument document = pdfService.getPdfDocument(documentId);
enforceDownloadAccess(document, authentication); // blocks non-admins for SOURCE_PDF

Tests

• Added mapToResponseIncludesSourcePdfDocumentsForAdmin to verify admins (includeSourcePdf=true) do receive SOURCE_PDF entries in the documents list

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
  • Triggering command: /usr/lib/jvm/temurin-21-jdk-amd64/bin/java /usr/lib/jvm/temurin-21-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED -classpath /home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.11/a2d47e15/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.11/a2d47e15/bin/m2.conf -Dmaven.home=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.11/a2d47e15 -Dlibrary.jansi.path=/home/REDACTED/.m2/wrapper/dists/apache-maven-3.9.11/a2d47e15/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/LEARN-Hub/LEARN-Hub/server org.codehaus.plexus.classworlds.launcher.Launcher clean compile -q (dns block)
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java -Dfile.encoding=UTF-8 -Xms256M -Xss8M -Djdk.util.zip.disableZip64ExtraFieldValidation=true -Dsun.misc.unsafe.memory.access=allow --add-opens java.base/sun.reflect.annotation=ALL-UNNAMED -Xmx14579m -classpath /opt/hostedtoolcache/CodeQL/2.24.3/x64/codeql/java/tools/semmle-extractor-java.jar:/opt/hostedtoolcache/CodeQL/2.24.3/x64/codeql/java/tools/lombok-javac-extend.jar com.semmle.extractor.java.JavaExtractor --jdk-version 17 --javac-args @@@/tmp/codeql-scratch-21fe057196e5a270/dbs/java/log/ext/javac.args earnhub/documentgit earnhub/document-c earnhub/documentcore.quotePath=false earnhub/documentdiff (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.