prevent non-authorized users to access medical release files

app/controllers/contracts_controller.rb

@@ -48,8 +48,10 @@ class ContractsController < ApplicationController
     # Native release contracts must be generated on-the-fly; non-native releases have a contract attachment
     if releasable.native?
       send_file contract.to_pdf, download_attributes
-    else
+    elsif policy(contract).show?
       redirect_to releasable.contract.service_url
+    else
+      raise Pundit::NotAuthorizedError
     end
   end
 end