From 01011f61157a80df9a46f72dc2fbbb3d93ee08f4 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 15:25:28 -0500
Subject: [PATCH] fix(licenses): allow anonymous downloads when
 download_gating=none on private repos

RepoAssignment now checks the download_gating setting. When set to
"none" (all downloads public), anonymous users can access release
downloads on licensed private repos without a key.

Previously, anonymous users always got 403 on private repos even
when download gating was set to public.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/context/repo.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/services/context/repo.go b/services/context/repo.go
index 9bb4240ec2..67e0c70811 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -447,7 +447,16 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			// Check if a license key is provided in query params (for Joomla/WP clients).
 			hasKey := ctx.FormString("dlid") != "" || ctx.FormString("key") != "" || ctx.FormString("download_key") != ""
 
-			if ctx.IsSigned || hasKey {
+			// Check if downloads are set to public (download_gating=none means no key needed).
+			downloadsPublic := false
+			if orgCfg != nil && (orgCfg.DownloadGating == "" || orgCfg.DownloadGating == "none") {
+				downloadsPublic = true
+			}
+			if repoCfg != nil && (repoCfg.DownloadGating == "" || repoCfg.DownloadGating == "none") {
+				downloadsPublic = true
+			}
+
+			if ctx.IsSigned || hasKey || downloadsPublic {
 				// Grant read-only access — downloads gated by CheckDownloadGating handler.
 				ctx.Data["LicensingEnabled"] = licensingEnabled
 				ctx.Data["HideReleaseDownloads"] = !hasKey && !ctx.IsSigned
-- 
2.52.0