diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 7b6f07465e0..2994d8c9666 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -1,6 +1,7 @@
 class Projects::GroupLinksController < Projects::ApplicationController
   layout 'project_settings'
   before_action :authorize_admin_project!
+  before_action :authorize_admin_project_member!, only: [:update]
 
   def index
     @group_links = project.project_group_links.all
@@ -21,7 +22,6 @@ class Projects::GroupLinksController < Projects::ApplicationController
 
   def update
     @group_link = @project.project_group_links.find(params[:id])
-    return render_403 unless can?(current_user, :admin_project_member, @project)
 
     @group_link.update_attributes(group_link_params)
   end
diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb
index eb1bf445a7d..870dc8abbd4 100644
--- a/app/controllers/projects/project_members_controller.rb
+++ b/app/controllers/projects/project_members_controller.rb
@@ -19,8 +19,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController
       @groups = @project.project_group_links.where(group_id: group_ids)
     end
 
-    @project_members = @project_members.order('access_level DESC')
-    @project_members = @project_members.page(params[:page])
+    @project_members = @project_members.order(access_level: :desc).page(params[:page])
 
     @requesters = AccessRequestsFinder.new(@project).execute(current_user)
 
@@ -40,6 +39,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
       groups = Group.where(id: group_ids)
 
       groups.each do |group|
+        next unless can?(current_user, :read_group, group)
+        
         project.project_group_links.create(
           group: group,
           group_access: params[:access_level],