diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index d67bd28b80..5f22e099e0 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -199,7 +199,12 @@ func repoAssignment() func(ctx *context.APIContext) {
 				return
 			}
 
-			ctx.Repo.Permission.AccessMode = perm_model.AccessModeAdmin
+			if task.IsForkPullRequest {
+				ctx.Repo.Permission.AccessMode = perm_model.AccessModeRead
+			} else {
+				ctx.Repo.Permission.AccessMode = perm_model.AccessModeWrite
+			}
+
 			if err := ctx.Repo.Repository.LoadUnits(ctx); err != nil {
 				ctx.Error(http.StatusInternalServerError, "LoadUnits", err)
 				return
diff --git a/routers/web/repo/http.go b/routers/web/repo/http.go
index 8c3e25c273..efb61174c4 100644
--- a/routers/web/repo/http.go
+++ b/routers/web/repo/http.go
@@ -199,12 +199,25 @@ func httpBase(ctx *context.Context) (h *serviceHandler) {
 					ctx.PlainText(http.StatusForbidden, "User permission denied")
 					return
 				}
+
+				if task.IsForkPullRequest {
+					if accessMode > perm.AccessModeRead {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return
+					}
+				} else {
+					if accessMode > perm.AccessModeWrite {
+						ctx.PlainText(http.StatusForbidden, "User permission denied")
+						return
+					}
+				}
 			} else {
 				p, err := access_model.GetUserRepoPermission(ctx, repo, ctx.Doer)
 				if err != nil {
 					ctx.ServerError("GetUserRepoPermission", err)
 					return
 				}
+
 				if !p.CanAccess(accessMode, unitType) {
 					ctx.PlainText(http.StatusForbidden, "User permission denied")
 					return