Issue #3607979: Enforce per-file access and CSRF on PDF scan endpoints
Fixes an IDOR: the queue-scan, scan/start and scan/accessibility endpoints loaded files/status entities by a caller-supplied ID with no access check, so any user holding the (non-restricted) "check pdf accessibility" permission could enumerate arbitrary IDs to read other users' accessibility reports or push private files to the Adobe API.
- Add PdfServicesScanController::userCanAccessFile() (owner, direct file view access, or view access to a referencing entity) and enforce it in all three endpoints; checkAccessibility now resolves the file behind the status_id first.
- Make the three routes POST-only and require _csrf_request_header_token.
- Update the widget JS to fetch a session token and send it as the X-CSRF-Token header on both scan requests.
- Rework ScanControllerTest for POST + CSRF and add coverage for the private-file IDOR denial, missing-token rejection, and GET rejection.
Co-Authored-By: Claude Fable 5 noreply@anthropic.com
Closes #3607979