services/context/repo.go

@@ -435,15 +435,29 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			EarlyResponseForGoGetMeta(ctx)
 			return
 		}
-		// For signed-in users, show "access denied" instead of 404
-		// so they know the repo exists but they lack permission.
-		// Anonymous users still get 404 to prevent repo enumeration.
+
+		// Check if licensing is enabled — licensed repos allow signed-in
+		// users to view releases even without repo membership.
 		if ctx.IsSigned {
-			ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository")
+			orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+			repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+			licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+				(repoCfg != nil && repoCfg.LicensingEnabled)
+
+			if licensingEnabled {
+				// Grant read-only access with downloads hidden.
+				ctx.Data["LicensingEnabled"] = licensingEnabled
+				ctx.Data["HideReleaseDownloads"] = true
+				ctx.Data["LicensedReadOnly"] = true
+				// Continue — don't block access.
+			} else {
+				ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository")
+				return
+			}
+		} else {
+			ctx.NotFound(nil)
 			return
 		}
-		ctx.NotFound(nil)
-		return
 	}
 	ctx.Data["Permission"] = &ctx.Repo.Permission
 

services/context/repo_public_feed.go

@@ -53,3 +53,4 @@ func RepoAssignmentPublicFeed() func(ctx *Context) {
 		log.Trace("Public feed access: %s/%s", ownerName, repoName)
 	}
 }
+