diff --git a/services/context/repo.go b/services/context/repo.go
index 36c3d37025..7c294c5f57 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -435,6 +435,13 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			EarlyResponseForGoGetMeta(ctx)
 			return
 		}
+		// For signed-in users, show "access denied" instead of 404
+		// so they know the repo exists but they lack permission.
+		// Anonymous users still get 404 to prevent repo enumeration.
+		if ctx.IsSigned {
+			ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository")
+			return
+		}
 		ctx.NotFound(nil)
 		return
 	}