From 3ad37e48e1424b5fb9dcb692d669a27bb8c238d4 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller-moko@noreply.git.mokoconsulting.tech>
Date: Tue, 2 Jun 2026 09:57:29 -0500
Subject: [PATCH] fix(security): return 403 for all users on private repos, not
 404

Both anonymous and signed-in users now get 403 Access Denied when
accessing a private repo they lack permission for. Previously
anonymous users got 404 which hid the repo's existence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 services/context/repo.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/context/repo.go b/services/context/repo.go
index 1084f5ce9c..a710a3f80f 100644
--- a/services/context/repo.go
+++ b/services/context/repo.go
@@ -455,7 +455,7 @@ func repoAssignmentLegacy(ctx *Context, data *repoAssignmentPrepareDataStruct) {
 				return
 			}
 		} else {
-			ctx.NotFound(nil)
+			ctx.HTTPError(http.StatusForbidden, "You do not have permission to access this repository")
 			return
 		}
 	}
-- 
2.52.0