From 628216d5889fcb838c471f4754f09b935d9cd9f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?=
 =?UTF-8?q?=C9=B4?= <jc@unknwon.io>
Date: Sat, 31 Jan 2026 14:40:39 -0500
Subject: [PATCH] security: require authentication for attachment uploads
 (#8128)

https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
---
 internal/cmd/web.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/cmd/web.go b/internal/cmd/web.go
index a1450809f..919b99b25 100644
--- a/internal/cmd/web.go
+++ b/internal/cmd/web.go
@@ -329,9 +329,12 @@ func runWeb(c *cli.Context) error {
 					return
 				}
 			})
+		}, ignSignIn)
+
+		m.Group("", func() {
 			m.Post("/issues/attachments", repo.UploadIssueAttachment)
 			m.Post("/releases/attachments", repo.UploadReleaseAttachment)
-		}, ignSignIn)
+		}, reqSignIn)
 
 		m.Group("/:username", func() {
 			m.Post("/action/:action", user.Action)