diff --git a/services/web/app/src/Features/Compile/PythonVenvGate.mjs b/services/web/app/src/Features/Compile/PythonVenvGate.mjs
index fb890ef28b..206098d0c4 100644
--- a/services/web/app/src/Features/Compile/PythonVenvGate.mjs
+++ b/services/web/app/src/Features/Compile/PythonVenvGate.mjs
@@ -4,10 +4,11 @@ import AuthorizationManager from '../Authorization/AuthorizationManager.mjs'
 
 // Whether this user may have the compiler install a project's requirements.txt
 // into a cached venv (so Quarto's Python cells can use libraries beyond the
-// bundled base set). Gated to the project owner + invited collaborators (any
-// role): ignorePublicAccess excludes link-sharing/public and anonymous users,
-// who fall back to the base Python interpreter. Returns false when the feature
-// is disabled or the privilege check fails.
+// bundled base set). Allowed for any user who can access the project — owner,
+// invited collaborators, token-link users, and public-project readers — since
+// the set of packages to install is already controlled by requirements.vrf
+// (writable only by project members with write access). Returns false when the
+// feature is disabled, the privilege check fails, or the user has no access.
 export async function userCanInstallPython(userId, projectId) {
   if (!Settings.enableProjectPythonVenv) {
     return false
@@ -17,8 +18,7 @@ export async function userCanInstallPython(userId, projectId) {
       await AuthorizationManager.promises.getPrivilegeLevelForProject(
         userId,
         projectId,
-        null,
-        { ignorePublicAccess: true }
+        null
       )
     return Boolean(privilegeLevel)
   } catch (err) {