diff --git a/app/models/concerns/assignable.rb b/app/models/concerns/assignable.rb
index 582d75340..42f8e511f 100644
--- a/app/models/concerns/assignable.rb
+++ b/app/models/concerns/assignable.rb
@@ -41,6 +41,30 @@ module Assignable
       User.where(id: direct_user_ids).or(User.where(id: group_user_ids)).or(User.where(id: team_user_ids))
     end
 
+    def users_with_permission(permission, teams = Team.all)
+      permitted_individual_assignments = user_assignments.joins(:user_role).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      disallowed_assignments = user_assignments.joins(:user_role).where(team: teams).where(
+        'NOT(user_roles.permissions @> ARRAY[?]::varchar[])', [permission]
+      )
+
+      permitted_user_group_assignments = user_group_assignments.joins(:user_role, user_group: { user_group_memberships: :user }).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      permitted_team_assignments = team_assignments.joins(:user_role, team: { user_assignments: :user }).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      User.where(id: permitted_individual_assignments.select(:user_id)).or(
+        User.where(id: permitted_user_group_assignments.select('user_group_memberships.user_id')).or(
+          User.where(id: permitted_team_assignments.select('user_assignments.user_id'))
+        )
+      ).where.not(id: disallowed_assignments.select(:user_id))
+    end
+
     def default_public_user_role_id(current_team = nil)
       if team_assignments.loaded?
         team_assignments.find { |ta| ta.team_id == (current_team || team).id }&.user_role_id
diff --git a/app/notifications/recipients/due_date_recipients.rb b/app/notifications/recipients/due_date_recipients.rb
index 38c206637..7f568f360 100644
--- a/app/notifications/recipients/due_date_recipients.rb
+++ b/app/notifications/recipients/due_date_recipients.rb
@@ -14,10 +14,7 @@ module Recipients
                            end
       return User.none unless record
 
-      User.where(id: record.user_assignments
-                           .joins(:user_role)
-                           .where('? = ANY(user_roles.permissions)', permission)
-                           .select(:user_id))
+      record.users_with_permission(permission)
     end
   end
 end
diff --git a/app/notifications/recipients/repository_item_recipients.rb b/app/notifications/recipients/repository_item_recipients.rb
index bf1f0ad85..f89a0ab28 100644
--- a/app/notifications/recipients/repository_item_recipients.rb
+++ b/app/notifications/recipients/repository_item_recipients.rb
@@ -6,7 +6,7 @@ class Recipients::RepositoryItemRecipients
   end
 
   def recipients
-    repository_row = RepositoryRow.find(@repository_row_id)
-    repository_row.repository.team.users
+    repository = RepositoryRow.find(@repository_row_id).repository
+    repository.users_with_permission(RepositoryPermissions::READ, repository.team)
   end
 end