From 02424c3f754f33336fafd6e402f86a8d20bf76c5 Mon Sep 17 00:00:00 2001 From: Jonathan Miller Date: Tue, 2 Jun 2026 10:12:45 -0500 Subject: [PATCH] fix(licenses): allow download access on private licensed repos with license key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RepoAssignment now checks for dlid/key/download_key query params when licensing is enabled. Anonymous Joomla/WordPress clients with valid license keys can access release download routes on private repos without being signed in. Access flow for licensed private repos: - Anonymous + no key → 403 (styled page) - Anonymous + valid dlid → access granted (CheckDownloadGating validates) - Signed in + no membership → access granted (releases visible, downloads hidden) - Org member → full access Co-Authored-By: Claude Opus 4.6 (1M context) --- services/context/repo.go | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/services/context/repo.go b/services/context/repo.go index 5bd6653a1c..cadba73d2c 100644 --- a/services/context/repo.go +++ b/services/context/repo.go @@ -436,18 +436,21 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) { return } - // Check if licensing is enabled — licensed repos allow signed-in - // users to view releases even without repo membership. - if ctx.IsSigned { - orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID) - repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID) - licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) || - (repoCfg != nil && repoCfg.LicensingEnabled) + // Check if licensing is enabled — licensed repos allow access to + // releases and downloads via license key, even without membership. + orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID) + repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID) + licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) || + (repoCfg != nil && repoCfg.LicensingEnabled) - if licensingEnabled { - // Grant read-only access with downloads hidden. + if licensingEnabled { + // Check if a license key is provided in query params (for Joomla/WP clients). + hasKey := ctx.FormString("dlid") != "" || ctx.FormString("key") != "" || ctx.FormString("download_key") != "" + + if ctx.IsSigned || hasKey { + // Grant read-only access — downloads gated by CheckDownloadGating handler. ctx.Data["LicensingEnabled"] = licensingEnabled - ctx.Data["HideReleaseDownloads"] = true + ctx.Data["HideReleaseDownloads"] = !hasKey && !ctx.IsSigned ctx.Data["LicensedReadOnly"] = true // Continue — don't block access. } else { -- 2.52.0