From 05a3e8572cb5d4bdf72b4e35f17c264fca2461d5 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Thu, 1 Jun 2023 13:22:26 -0400
Subject: [PATCH] Fix users cannot visit issue attachment bug (#25019) (#25027)

Backport #25019 by @lunny

Caused by #24362

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>
(cherry picked from commit 73ae6b21d1b993e9936224b79b0bc743dbf382fc)
---
 routers/web/repo/attachment.go       | 5 -----
 tests/integration/attachment_test.go | 3 +++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index 1cf50627a9..c6d8828fac 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -110,11 +110,6 @@ func GetAttachment(ctx *context.Context) {
 			return
 		}
 	} else { // If we have the repository we check access
-		context.CheckRepoScopedToken(ctx, repository)
-		if ctx.Written() {
-			return
-		}
-
 		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
diff --git a/tests/integration/attachment_test.go b/tests/integration/attachment_test.go
index a92814ecee..ff62726487 100644
--- a/tests/integration/attachment_test.go
+++ b/tests/integration/attachment_test.go
@@ -89,6 +89,9 @@ func TestCreateIssueAttachment(t *testing.T) {
 	// Validate that attachment is available
 	req = NewRequest(t, "GET", "/attachments/"+uuid)
 	session.MakeRequest(t, req, http.StatusOK)
+
+	// anonymous visit should be allowed because user2/repo1 is a public repository
+	MakeRequest(t, req, http.StatusOK)
 }
 
 func TestGetAttachment(t *testing.T) {