From 963fa6d38463326b31ff17d68c73c7a6b1f087a0 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 15:50:23 -0500
Subject: [PATCH] fix(licenses): always allow anonymous download path access on
 licensed repos

RepoAssignment now always grants LicensedReadOnly for download
paths (/releases/, /archive/) on licensed repos. The actual
download gating (none/prerelease/all) is enforced by
CheckDownloadGating in the handler.

Previously only download_gating=none allowed anonymous access.
Now prerelease gating also allows through (CheckDownloadGating
blocks non-stable downloads without a key).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/context/repo.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/services/context/repo.go b/services/context/repo.go
index 977d5e37bb..957c27ed0d 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -453,12 +453,11 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			reqPath := ctx.Req.URL.Path
 			isDownloadPath := strings.Contains(reqPath, "/releases/") || strings.Contains(reqPath, "/archive/")
 			if isDownloadPath {
-				if orgCfg != nil && (orgCfg.DownloadGating == "" || orgCfg.DownloadGating == "none") {
-					downloadsPublic = true
-				}
-				if repoCfg != nil && (repoCfg.DownloadGating == "" || repoCfg.DownloadGating == "none") {
-					downloadsPublic = true
-				}
+				// Allow anonymous access to download paths — the actual gating
+				// is done by CheckDownloadGating in the handler, which checks
+				// the stream (stable vs prerelease) and validates the key.
+				// RepoAssignment just needs to let the request through.
+				downloadsPublic = true
 			}
 
 			if ctx.IsSigned || hasKey || downloadsPublic {
-- 
2.52.0