From 9cc986a3f1896b1c86b883f04d88f577099030c1 Mon Sep 17 00:00:00 2001
From: CC Worker <cc-worker@local>
Date: Sun, 7 Jun 2026 09:55:03 +0000
Subject: [PATCH] fix(exam): allow any institute teacher to fetch template
 source PDF

Removed the teacher_id ownership check from _require_source_visibility_or_404.
RLS already ensures a teacher can only see templates in their institute;
the ownership gate was blocking shared templates (e.g. board-uploaded AQA papers)
for any teacher who didn't personally create them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 routers/exam/templates.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/routers/exam/templates.py b/routers/exam/templates.py
index 34f1436..c707ba3 100644
--- a/routers/exam/templates.py
+++ b/routers/exam/templates.py
@@ -69,9 +69,7 @@ def _require_owner(ctx: ExamContext, template: Dict[str, Any]) -> None:
 
 
 def _require_source_visibility_or_404(ctx: ExamContext, template: Dict[str, Any]) -> None:
-    """Template source reads must not leak existence across institutes or non-owners."""
-    if template.get("teacher_id") != ctx.user_id:
-        raise HTTPException(status_code=404, detail="Template not found")
+    """Institute boundary check — RLS already gates template visibility; this prevents cross-institute PDF leakage."""
     if template.get("institute_id") not in ctx.institute_ids:
         raise HTTPException(status_code=404, detail="Template not found")