diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go
index 830f193ee..6fa89420d 100755
--- a/routers/repo/attachment.go
+++ b/routers/repo/attachment.go
@@ -151,18 +151,19 @@ func DownloadUserIsOrgOrCollaboration(ctx *context.Context, attach *models.Attac
 			log.Info("query repo error.")
 		} else {
 			repo.GetOwner()
-			if repo.Owner.IsOrganization() {
-				//log.Info("ower is org.")
-				if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
-					log.Info("org user may visit the attach.")
+			if ctx.User != nil {
+				if repo.Owner.IsOrganization() {
+					if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
+						log.Info("org user may visit the attach.")
+						return true
+					}
+				}
+				isCollaborator, _ := repo.IsCollaborator(ctx.User.ID)
+				if isCollaborator {
+					log.Info("Collaborator user may visit the attach.")
 					return true
 				}
 			}
-			isCollaborator, _ := repo.IsCollaborator(ctx.User.ID)
-			if isCollaborator {
-				log.Info("Collaborator user may visit the attach.")
-				return true
-			}
 		}
 	}
 	return false
diff --git a/routers/repo/dataset.go b/routers/repo/dataset.go
index bdadd2066..b2da4b8d8 100755
--- a/routers/repo/dataset.go
+++ b/routers/repo/dataset.go
@@ -32,13 +32,13 @@ func newFilterPrivateAttachments(ctx *context.Context, list []*models.Attachment
 			repo.GetOwner()
 		}
 		permission := false
-		if repo.Owner.IsOrganization() {
+		if repo.Owner.IsOrganization() && ctx.User != nil {
 			if repo.Owner.IsUserPartOfOrg(ctx.User.ID) {
 				log.Info("user is member of org.")
 				permission = true
 			}
 		}
-		if !permission {
+		if !permission && ctx.User != nil {
 			isCollaborator, _ := repo.IsCollaborator(ctx.User.ID)
 			if isCollaborator {
 				log.Info("Collaborator user may visit the attach.")