From 021a054348449384af2bf3b982a280aa65208083 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Tue, 2 Jun 2026 09:52:05 -0500 Subject: [PATCH] fix(licenses): licensed private repos allow signed-in users to view releases When licensing is enabled on a private repo, signed-in users who are not repo members can now view the releases page (with downloads hidden). The RepoAssignment permission check detects licensing and grants read-only access instead of returning 403. This enables the commercial pattern: private source code, but release notes visible to any authenticated user. Download files are gated by license key via HideReleaseDownloads. Anonymous users still get 404 (no information leak). Non-licensed private repos still return 403 for non-members. Co-Authored-By: Claude Opus 4.6 (1M context) --- services/context/repo.go | 26 ++++++++++++++++++++------ services/context/repo_public_feed.go | 1 + 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/services/context/repo.go b/services/context/repo.go index 7c294c5f57..1084f5ce9c 100644 --- a/services/context/repo.go +++ b/services/context/repo.go @@ -435,15 +435,29 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) { EarlyResponseForGoGetMeta(ctx) return } - // For signed-in users, show "access denied" instead of 404 - // so they know the repo exists but they lack permission. - // Anonymous users still get 404 to prevent repo enumeration. + + // Check if licensing is enabled — licensed repos allow signed-in + // users to view releases even without repo membership. if ctx.IsSigned { - ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository") + orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID) + repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID) + licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) || + (repoCfg != nil && repoCfg.LicensingEnabled) + + if licensingEnabled { + // Grant read-only access with downloads hidden. + ctx.Data["LicensingEnabled"] = licensingEnabled + ctx.Data["HideReleaseDownloads"] = true + ctx.Data["LicensedReadOnly"] = true + // Continue — don't block access. + } else { + ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository") + return + } + } else { + ctx.NotFound(nil) return } - ctx.NotFound(nil) - return } ctx.Data["Permission"] = &ctx.Repo.Permission diff --git a/services/context/repo_public_feed.go b/services/context/repo_public_feed.go index a66f992b75..7cb392ed9e 100644 --- a/services/context/repo_public_feed.go +++ b/services/context/repo_public_feed.go @@ -53,3 +53,4 @@ func RepoAssignmentPublicFeed() func(ctx *Context) { log.Trace("Public feed access: %s/%s", ownerName, repoName) } } + -- 2.52.0