From 7f3785e7de0158b1b66c97672b8b1a8ca618d73f Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Thu, 11 Jun 2026 15:26:52 -0500
Subject: [PATCH] fix: return 404 for update feeds when update server is
 disabled (#589)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The RepoAssignmentPublicFeed middleware did not check LicensingEnabled,
so feed endpoints responded with valid data even when the feature was
disabled. Now checks the effective config (repo → org cascade) and
returns 404 when neither level has LicensingEnabled=true.

Co-Authored-By: Moko Consulting <hello@mokoconsulting.tech>
---
 services/context/repo_public_feed.go | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/services/context/repo_public_feed.go b/services/context/repo_public_feed.go
index 785353eb88..55e601f230 100644
--- a/services/context/repo_public_feed.go
+++ b/services/context/repo_public_feed.go
@@ -42,11 +42,16 @@ func RepoAssignmentPublicFeed() func(ctx *Context) {
 		repo.Owner = owner
 		ctx.Repo.Repository = repo
 
-		// Load update config for platform-aware routing.
-		repoUpdateCfg, _ := updateserver_model.GetRepoConfig(ctx, repo.ID)
-		if repoUpdateCfg != nil {
-			ctx.Data["RepoUpdatePlatform"] = repoUpdateCfg.Platform
-		} else {
+		// Check if the update server is enabled (repo config → org config).
+		// Return 404 when neither level has LicensingEnabled=true.
+		cfg := updateserver_model.GetEffectiveConfig(ctx, owner.ID, repo.ID)
+		if cfg == nil || !cfg.LicensingEnabled {
+			ctx.NotFound(nil)
+			return
+		}
+
+		ctx.Data["RepoUpdatePlatform"] = cfg.Platform
+		if cfg.Platform == "" {
 			ctx.Data["RepoUpdatePlatform"] = "joomla"
 		}
 
-- 
2.52.0