diff --git a/app/controllers/at_who_controller.rb b/app/controllers/at_who_controller.rb
index 37d166827..387d62de8 100644
--- a/app/controllers/at_who_controller.rb
+++ b/app/controllers/at_who_controller.rb
@@ -51,8 +51,7 @@ class AtWhoController < ApplicationController
   end
 
   def repositories
-    repositories =
-      @team.repositories.limit(Rails.configuration.x.repositories_limit)
+    repositories = Repository.accessible_by_teams(@team)
     respond_to do |format|
       format.json do
         render json: {
diff --git a/app/services/smart_annotations/permission_eval.rb b/app/services/smart_annotations/permission_eval.rb
index f53ce8b27..58f30c7ee 100644
--- a/app/services/smart_annotations/permission_eval.rb
+++ b/app/services/smart_annotations/permission_eval.rb
@@ -26,7 +26,8 @@ module SmartAnnotations
 
       def validate_rep_item_permissions(user, team, object)
         if object.repository
-          return object.repository.team.id == team.id &&
+          return (object.repository.team.id == team.id ||
+                 object.repository.team_repositories.where(team_id: team.id).take[:team_id] == team.id) &&
                  can_read_repository?(user, object.repository)
         end
 
@@ -35,7 +36,9 @@ module SmartAnnotations
         # evaluate to false if repository not found
         return false unless repository
 
-        repository.team.id == team && can_read_repository?(user, repository)
+        (repository.team.id == team.id ||
+          repository.team_repositories.where(team_id: team.id).take[:team_id] == team.id) &&
+          can_read_repository?(user, repository)
       end
     end
   end