From 0add8bda72f3c975d1252b35deead04fc3c46468 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 09:26:21 -0500
Subject: [PATCH] fix(security): show 403 Access Denied instead of 404 for
 signed-in users on private repos

Signed-in users who lack permission to a private repo now see a
403 "You do not have permission" instead of a misleading 404.
Anonymous users still get 404 to prevent repo enumeration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/context/repo.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/services/context/repo.go b/services/context/repo.go
index 36c3d37025..7c294c5f57 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -435,6 +435,13 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 			EarlyResponseForGoGetMeta(ctx)
 			return
 		}
+		// For signed-in users, show "access denied" instead of 404
+		// so they know the repo exists but they lack permission.
+		// Anonymous users still get 404 to prevent repo enumeration.
+		if ctx.IsSigned {
+			ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository")
+			return
+		}
 		ctx.NotFound(nil)
 		return
 	}
-- 
2.52.0