From 95d93da2bcdddd5615a21bacfec91cefe751a472 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 10:17:06 -0500
Subject: [PATCH] fix(licenses): bypass attachment permission check for
 licensed downloads

ServeAttachment checks perm.CanRead(unitType) which fails for
licensed read-only access on private repos. Now skips the check
when LicensedReadOnly is set in context (from RepoAssignment).

This allows Joomla/WordPress clients with valid dlid= params to
download release files from private licensed repos.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 routers/web/repo/attachment.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index 3c01fc622e..66864f80ff 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -182,8 +182,11 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 		}
 
 		if !perm.CanRead(unitType) {
-			ctx.HTTPError(http.StatusNotFound)
-			return
+			// Allow access for licensed read-only mode (private repo with valid license key).
+			if ctx.Data["LicensedReadOnly"] != true {
+				ctx.HTTPError(http.StatusNotFound)
+				return
+			}
 		}
 
 		if requiredScope, ok := attachmentReadScope(unitType); ok {
-- 
2.52.0