Fix rights to badges from non public assemblies

Badges from non public assemblies should not be accessible by users who
are not part of the assembly.

src/core/models/badges.py

@@ -67,18 +67,20 @@ def get_badge_filename(instance: 'Badge', filename: str):
 class BadgeManager(ConferenceManagerMixin['Badge']):
     def apply_public_filter(self, queryset: 'QuerySet[Badge]', member: ConferenceMember | None = None) -> 'QuerySet[Badge]':
         if member is None:
-            return queryset.filter(state=Badge.State.PUBLIC)
-        return queryset.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=member.user))
+            return queryset.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES)
+        return queryset.filter(Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=member.user))
 
     def accessible_by_user(self, user: PlatformUser, conference: Conference, staff_can_manage=True) -> 'QuerySet[Badge]':
         if user is None or not user.is_authenticated:
             user = PlatformUser.get_anonymous_user()
         qs = self.get_queryset()
         if not user.is_authenticated:
-            return qs.filter(state=Badge.State.PUBLIC)
+            return qs.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES)
 
         manageable = Assembly.objects.manageable_by_user(conference, user=user, staff_can_manage=staff_can_manage)
-        return qs.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=user) | Q(issuing_assembly__in=manageable))
+        return qs.filter(
+            Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=user) | Q(issuing_assembly__in=manageable)
+        )
 
 
 def get_badge_image_help_text() -> str: