services/context/repo.go

@@ -453,12 +453,11 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			reqPath := ctx.Req.URL.Path
 			isDownloadPath := strings.Contains(reqPath, "/releases/") || strings.Contains(reqPath, "/archive/")
 			if isDownloadPath {
-				if orgCfg != nil && (orgCfg.DownloadGating == "" || orgCfg.DownloadGating == "none") {
-					downloadsPublic = true
-				}
-				if repoCfg != nil && (repoCfg.DownloadGating == "" || repoCfg.DownloadGating == "none") {
-					downloadsPublic = true
-				}
+				// Allow anonymous access to download paths — the actual gating
+				// is done by CheckDownloadGating in the handler, which checks
+				// the stream (stable vs prerelease) and validates the key.
+				// RepoAssignment just needs to let the request through.
+				downloadsPublic = true
 			}
 
 			if ctx.IsSigned || hasKey || downloadsPublic {