diff --git a/routers/web/web.go b/routers/web/web.go
index 6c2ce3907c..64675d081a 100644
--- a/routers/web/web.go
+++ b/routers/web/web.go
@@ -1522,20 +1522,20 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 	// end "/{username}/{reponame}": update server
 
 	// "/{username}/{reponame}": licenses page
+	// Note: page visibility is controlled by LicensingEnabled (org config).
+	// Write permissions are checked in handlers via CanWrite(TypeLicenses).
 	m.Group("/{username}/{reponame}/licenses", func() {
 		m.Get("", repo.Licenses)
-		m.Group("", func() {
-			m.Post("/packages", repo.LicensesCreatePackage)
-			m.Get("/packages/{id}/edit", repo.LicensesEditPackage)
-			m.Post("/packages/{id}/edit", repo.LicensesEditPackagePost)
-			m.Post("/packages/{id}/delete", repo.LicensesDeletePackage)
-			m.Post("/keys/generate", repo.LicensesGenerateKey)
-			m.Get("/keys/{id}/edit", repo.LicensesEditKey)
-			m.Post("/keys/{id}/edit", repo.LicensesEditKeyPost)
-			m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
-			m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
-		}, context.RequireUnitWriter(unit.TypeLicenses))
-	}, optSignIn, context.RepoAssignment, context.RequireUnitReader(unit.TypeLicenses))
+		m.Post("/packages", repo.LicensesCreatePackage)
+		m.Get("/packages/{id}/edit", repo.LicensesEditPackage)
+		m.Post("/packages/{id}/edit", repo.LicensesEditPackagePost)
+		m.Post("/packages/{id}/delete", repo.LicensesDeletePackage)
+		m.Post("/keys/generate", repo.LicensesGenerateKey)
+		m.Get("/keys/{id}/edit", repo.LicensesEditKey)
+		m.Post("/keys/{id}/edit", repo.LicensesEditKeyPost)
+		m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
+		m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
+	}, optSignIn, context.RepoAssignment)
 	// end "/{username}/{reponame}": licenses
 
 	m.Group("/{username}/{reponame}", func() { // to maintain compatibility with old attachments