diff --git a/modules/lfs/server.go b/modules/lfs/server.go
index 58acbb807e..188a6b8d57 100644
--- a/modules/lfs/server.go
+++ b/modules/lfs/server.go
@@ -497,12 +497,15 @@ func authenticate(ctx *context.Context, repository *models.Repository, authoriza
 		accessMode = models.AccessModeWrite
 	}
 
+	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
 	perm, err := models.GetUserRepoPermission(repository, ctx.User)
 	if err != nil {
 		return false
 	}
-	if ctx.IsSigned {
-		return perm.CanAccess(accessMode, models.UnitTypeCode)
+
+	canRead := perm.CanAccess(accessMode, models.UnitTypeCode)
+	if canRead {
+		return true
 	}
 
 	user, repo, opStr, err := parseToken(authorization)