diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index fb95e63ecf..dd24248024 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -110,11 +110,6 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 			return
 		}
 	} else { // If we have the repository we check access
-		context.CheckRepoScopedToken(ctx, repository)
-		if ctx.Written() {
-			return
-		}
-
 		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
diff --git a/tests/integration/attachment_test.go b/tests/integration/attachment_test.go
index a92814ecee..ff62726487 100644
--- a/tests/integration/attachment_test.go
+++ b/tests/integration/attachment_test.go
@@ -89,6 +89,9 @@ func TestCreateIssueAttachment(t *testing.T) {
 	// Validate that attachment is available
 	req = NewRequest(t, "GET", "/attachments/"+uuid)
 	session.MakeRequest(t, req, http.StatusOK)
+
+	// anonymous visit should be allowed because user2/repo1 is a public repository
+	MakeRequest(t, req, http.StatusOK)
 }
 
 func TestGetAttachment(t *testing.T) {