[SECURITY] Prevent access to arbitrary cached files by UUID (CVE-2025-14881)

src/pretix/base/views/cachedfiles.py

@@ -36,9 +36,8 @@ class DownloadView(TemplateView):
     def object(self) -> CachedFile:
         try:
             o = get_object_or_404(CachedFile, id=self.kwargs['id'], web_download=True)
-            if o.session_key:
-                if o.session_key != self.request.session.session_key:
-                    raise Http404()
+            if not o.allowed_for_session(self.request):
+                raise Http404()
             return o
         except (ValueError, ValidationError):   # Invalid URLs
             raise Http404()