fix(licenses): bypass attachment permission check for licensed downloads
Branch Policy Check / Verify merge target (pull_request) Has been cancelled
Universal: PR Check / Branch Policy (pull_request) Has been cancelled
Universal: PR Check / Validate PR (pull_request) Has been cancelled
Branch Cleanup / Delete merged branch (pull_request) Has been cancelled
PR RC Release / Build RC Release (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled

ServeAttachment checks perm.CanRead(unitType) which fails for
licensed read-only access on private repos. Now skips the check
when LicensedReadOnly is set in context (from RepoAssignment).

This allows Joomla/WordPress clients with valid dlid= params to
download release files from private licensed repos.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Jonathan Miller
2026-06-02 10:17:06 -05:00
parent 02424c3f75
commit 95d93da2bc
+5 -2
View File
@@ -182,8 +182,11 @@ func ServeAttachment(ctx *context.Context, uuid string) {
}
if !perm.CanRead(unitType) {
ctx.HTTPError(http.StatusNotFound)
return
// Allow access for licensed read-only mode (private repo with valid license key).
if ctx.Data["LicensedReadOnly"] != true {
ctx.HTTPError(http.StatusNotFound)
return
}
}
if requiredScope, ok := attachmentReadScope(unitType); ok {