services/context/repo.go

@@ -436,18 +436,21 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			return
 		}
 
-		// Check if licensing is enabled — licensed repos allow signed-in
-		// users to view releases even without repo membership.
-		if ctx.IsSigned {
-			orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
-			repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
-			licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
-				(repoCfg != nil && repoCfg.LicensingEnabled)
+		// Check if licensing is enabled — licensed repos allow access to
+		// releases and downloads via license key, even without membership.
+		orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+		repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+		licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+			(repoCfg != nil && repoCfg.LicensingEnabled)
 
-			if licensingEnabled {
-				// Grant read-only access with downloads hidden.
+		if licensingEnabled {
+			// Check if a license key is provided in query params (for Joomla/WP clients).
+			hasKey := ctx.FormString("dlid") != "" || ctx.FormString("key") != "" || ctx.FormString("download_key") != ""
+
+			if ctx.IsSigned || hasKey {
+				// Grant read-only access — downloads gated by CheckDownloadGating handler.
 				ctx.Data["LicensingEnabled"] = licensingEnabled
-				ctx.Data["HideReleaseDownloads"] = true
+				ctx.Data["HideReleaseDownloads"] = !hasKey && !ctx.IsSigned
 				ctx.Data["LicensedReadOnly"] = true
 				// Continue — don't block access.
 			} else {