diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go
index e74857f565..ab10f8e815 100644
--- a/routers/api/packages/api.go
+++ b/routers/api/packages/api.go
@@ -136,6 +136,11 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
 						return
 					}
 				}
+
+				// If we have passed all checks, grant the requested access to the context
+				if ctx.Package.AccessMode < accessMode {
+					ctx.Package.AccessMode = accessMode
+				}
 			}
 		}
 
diff --git a/services/context/package.go b/services/context/package.go
index 8b722932b1..5930dd086d 100644
--- a/services/context/package.go
+++ b/services/context/package.go
@@ -101,7 +101,7 @@ func determineAccessMode(ctx *Base, pkg *Package, doer *user_model.User) (perm.A
 		return perm.AccessModeNone, nil
 	}
 
-	// TODO: ActionUser permission check
+	// ActionUser permission check is handled in reqPackageAccess to allow for repo-specific checks
 	accessMode := perm.AccessModeNone
 	if pkg.Owner.IsOrganization() {
 		org := organization.OrgFromUser(pkg.Owner)