diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 150a4ead45d..1e0a7ec253a 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -130,7 +130,14 @@ module Gitlab
         if actor
           token_handler = Gitlab::LfsToken.new(actor)
 
-          Result.new(actor, nil, token_handler.type, read_authentication_abilities) if Devise.secure_compare(token_handler.value, password)
+          authentication_abilities =
+            if token_handler.user?
+              full_authentication_abilities
+            else
+              read_authentication_abilities
+            end
+
+          Result.new(actor, nil, token_handler.type, authentication_abilities) if Devise.secure_compare(token_handler.value, password)
         end
       end
 
diff --git a/lib/gitlab/lfs_token.rb b/lib/gitlab/lfs_token.rb
index f492754b1c8..d089a2f9b0b 100644
--- a/lib/gitlab/lfs_token.rb
+++ b/lib/gitlab/lfs_token.rb
@@ -33,6 +33,10 @@ module Gitlab
       end
     end
 
+    def user?
+      actor.is_a?(User)
+    end
+
     def type
       actor.is_a?(User) ? :lfs_token : :lfs_deploy_token
     end