From 6c7a6e4061c39c2b2d4006f63e3ce33331e84ca5 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 10:23:38 -0500
Subject: [PATCH] fix(licenses): RequireUnitReader allows LicensedReadOnly
 access

RequireUnitReader now checks for LicensedReadOnly context flag
before checking standard permissions. This lets the releases
download route pass through for licensed private repos where
RepoAssignment granted read-only access via license key.

Fixes the 404 on /releases/download/ with valid dlid= param.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/context/permission.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/services/context/permission.go b/services/context/permission.go
index f0650e057c..22a82a777f 100644
--- a/services/context/permission.go
+++ b/services/context/permission.go
@@ -78,6 +78,10 @@ func RequireUnitWriter(unitTypes ...unit.Type) func(ctx *Context) {
 // RequireUnitReader returns a middleware for requiring repository write to one of the unit permission
 func RequireUnitReader(unitTypes ...unit.Type) func(ctx *Context) {
 	return func(ctx *Context) {
+		// Licensed read-only mode grants read access to all units.
+		if ctx.Data["LicensedReadOnly"] == true {
+			return
+		}
 		for _, unitType := range unitTypes {
 			if ctx.Repo.Permission.CanRead(unitType) {
 				return
-- 
2.52.0