From 5d23c885eda54917078182b6f01441b15a517c1e Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 1 Jun 2023 01:06:17 +0800
Subject: [PATCH] Fix users cannot visit issue attachment bug (#25019)

Caused by #24362

Co-authored-by: Giteabot <teabot@gitea.io>
---
 routers/web/repo/attachment.go       | 5 -----
 tests/integration/attachment_test.go | 3 +++
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/routers/web/repo/attachment.go b/routers/web/repo/attachment.go
index fb95e63ecf..dd24248024 100644
--- a/routers/web/repo/attachment.go
+++ b/routers/web/repo/attachment.go
@@ -110,11 +110,6 @@ func ServeAttachment(ctx *context.Context, uuid string) {
 			return
 		}
 	} else { // If we have the repository we check access
-		context.CheckRepoScopedToken(ctx, repository)
-		if ctx.Written() {
-			return
-		}
-
 		perm, err := access_model.GetUserRepoPermission(ctx, repository, ctx.Doer)
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "GetUserRepoPermission", err.Error())
diff --git a/tests/integration/attachment_test.go b/tests/integration/attachment_test.go
index a92814ecee..ff62726487 100644
--- a/tests/integration/attachment_test.go
+++ b/tests/integration/attachment_test.go
@@ -89,6 +89,9 @@ func TestCreateIssueAttachment(t *testing.T) {
 	// Validate that attachment is available
 	req = NewRequest(t, "GET", "/attachments/"+uuid)
 	session.MakeRequest(t, req, http.StatusOK)
+
+	// anonymous visit should be allowed because user2/repo1 is a public repository
+	MakeRequest(t, req, http.StatusOK)
 }
 
 func TestGetAttachment(t *testing.T) {