feat(licenses): gate release asset downloads behind license key when licensing enabled #347

New Issue

Closed

opened 2026-05-31 15:31:44 +00:00 by jmiller · 2 comments

jmiller commented 2026-05-31 15:31:44 +00:00

Owner

Copy Link

Copy Source

Summary

When licensing is enabled and RequireKey is on for a repo, prevent unauthenticated/unauthorized users from directly downloading release assets (.zip files). Currently, anyone with the direct URL can download even without a valid license key.

Behavior

• Logged-in users: Can always download (they have the repo in their dashboard)
• Anonymous users with valid ?dlid= key: Can download (key is validated against the license system)
• Anonymous users without key: Get a 403 or redirect to a "license required" page

Implementation

Add middleware to the release asset download route that checks:

1. If licensing is enabled and RequireKey is on for the repo
2. If the user is authenticated (allow)
3. If a dlid/key query param is present and valid (allow)
4. Otherwise reject

---

Claude Opus 4.6 (1M context) noreply@anthropic.com

## Summary When licensing is enabled and RequireKey is on for a repo, prevent unauthenticated/unauthorized users from directly downloading release assets (.zip files). Currently, anyone with the direct URL can download even without a valid license key. ### Behavior - **Logged-in users**: Can always download (they have the repo in their dashboard) - **Anonymous users with valid `?dlid=` key**: Can download (key is validated against the license system) - **Anonymous users without key**: Get a 403 or redirect to a "license required" page ### Implementation Add middleware to the release asset download route that checks: 1. If licensing is enabled and RequireKey is on for the repo 2. If the user is authenticated (allow) 3. If a `dlid`/`key` query param is present and valid (allow) 4. Otherwise reject --- *Claude Opus 4.6 (1M context) <noreply@anthropic.com>*

jmiller commented 2026-06-01 10:11:53 +00:00

Author

Owner

Copy Link

Copy Source

Testing Plan — Download Gating

API

• Gating=none: GET /releases/download/v1.0/file.zip → 200 (no key needed)
• Gating=all: GET same without key → 403
• Gating=all: GET same with ?dlid=VALIDKEY → 200
• Gating=all: GET same with ?dlid=INVALIDKEY → 403
• Gating=prerelease: stable tag download without key → 200
• Gating=prerelease: RC tag download without key → 403
• Gating=prerelease: RC tag download with key → 200
• Archive download (/archive/v1.0.zip) follows same gating rules
• Gating respects effective config (repo override → org default)

GUI

• Download gating dropdown in repo settings (none/prerelease/all)
• Download gating dropdown in org settings
• Help text explains each mode

🤖 Generated with Claude Code

## Testing Plan — Download Gating ### API - [ ] Gating=none: GET /releases/download/v1.0/file.zip → 200 (no key needed) - [ ] Gating=all: GET same without key → 403 - [ ] Gating=all: GET same with ?dlid=VALIDKEY → 200 - [ ] Gating=all: GET same with ?dlid=INVALIDKEY → 403 - [ ] Gating=prerelease: stable tag download without key → 200 - [ ] Gating=prerelease: RC tag download without key → 403 - [ ] Gating=prerelease: RC tag download with key → 200 - [ ] Archive download (/archive/v1.0.zip) follows same gating rules - [ ] Gating respects effective config (repo override → org default) ### GUI - [ ] Download gating dropdown in repo settings (none/prerelease/all) - [ ] Download gating dropdown in org settings - [ ] Help text explains each mode 🤖 Generated with [Claude Code](https://claude.com/claude-code)

jmiller added the pending: testing label 2026-06-01 10:13:49 +00:00

jmiller referenced this issue 2026-06-01 10:24:43 +00:00

feat(licenses): configurable feed visibility vs download-only gating #346

jmiller closed this issue 2026-06-02 11:21:09 +00:00

jmiller reopened this issue 2026-06-02 11:21:40 +00:00

jmiller referenced this issue from a commit 2026-06-02 11:47:40 +00:00

feat(licenses): archive, search, download gating, changelog XML, and expanded permissions

jmiller commented 2026-06-03 00:39:41 +00:00

Author

Owner

Copy Link

Copy Source

Tested and verified in production on MokoWaaS. All three download gating modes (none/prerelease/all), feed visibility, XML metadata, download URLs, and access control confirmed working.

Tested and verified in production on MokoWaaS. All three download gating modes (none/prerelease/all), feed visibility, XML metadata, download URLs, and access control confirmed working.

jmiller closed this issue 2026-06-03 00:39:41 +00:00

Sign in to join this conversation.

Labels

Clear labels

breaking-change

Breaking API or behavior change

ci-cd

CI/CD pipeline changes

config

Configuration changes

dependencies

Dependency updates

deploy-failure

Deployment failed

docker

Docker/container changes

documentation

Documentation changes

good first issue

Good for newcomers

health-check

Repo health check result

help wanted

Extra attention needed

mokostandards

Related to MokoStandards framework

pending: testing

Feature implemented but not yet tested with documented proof

priority: critical

Must fix immediately

priority: high

Important, fix soon

priority: low

Nice to have

priority: medium

Normal priority

push-failure

Git push operation failed

security

Security vulnerability or hardening

size/l

200-500 lines changed

size/m

50-200 lines changed

size/s

10-50 lines changed

size/xl

500+ lines changed

size/xs

< 10 lines changed

standards-drift

Deviates from MokoStandards

standards-update

MokoStandards compliance update

status: blocked

Blocked by dependency or decision

status: in-progress

Actively being worked on

status: needs-review

Awaiting code review

status: on-hold

Paused intentionally

status: wontfix

Will not be addressed

sync-failure

Sync or mirror failed

tech-debt

Technical debt and TODO/FIXME items

type: bug

Something isn't working

type: bug

type: chore

Maintenance, dependencies, cleanup

type: enhancement

Improvement to existing feature

type: feature

New functionality

type: refactor

Code restructuring without behavior change

type: version

Version bump or release

upstream

upstream

Inherited from upstream Gitea

work-in-progress

Draft or incomplete work

bug

Something is not working

chore

Maintenance and housekeeping

documentation

Documentation improvements

enhancement

Improvement to existing functionality

feature

New feature or request

pending: dependency

Blocked by another issue or external dependency

pending: deployment

Tested and approved, awaiting deployment to production

pending: design

Needs UI/UX or architecture design before implementation

pending: documentation

Feature works, needs documentation/wiki update

pending: feedback

Awaiting feedback or decision from stakeholder

pending: review

Implementation complete, awaiting code review

pending: testing

Feature implemented but not yet tested

priority: critical

Must fix immediately

priority: high

Should fix soon

priority: low

Nice to have

priority: medium

Fix when convenient

refactor

Code restructuring without behavior change

roadmap

Planned feature or enhancement tracked on the roadmap

scope: client

Client-specific work

scope: dolibarr

Dolibarr modules and customizations

scope: infrastructure

Server, CI, backups, monitoring

scope: joomla

Joomla templates and extensions

scope: waas

MokoWaaS platform

security

Security vulnerability or hardening

status: blocked

Waiting on external dependency

status: duplicate

Duplicate of another issue

status: in-progress

Being worked on

status: needs-review

Ready for review

status: wontfix

Will not be addressed

No labels pending: testing

Status —

Status —

Priority —

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller) moko-deploy (Moko Deploy Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoGitea#347