diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 4159e53bfa9..92113b9dd87 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -7,10 +7,16 @@ class Projects::GroupLinksController < Projects::ApplicationController
   end
 
   def create
-    link = project.project_group_links.new
-    link.group_id = params[:link_group_id]
-    link.group_access = params[:link_group_access]
-    link.save
+    group = Group.find(params[:link_group_id])
+
+    if can?(current_user, :read_group, group)
+      link = project.project_group_links.new
+      link.group_id = params[:link_group_id]
+      link.group_access = params[:link_group_access]
+      link.save
+    else
+      return render_404
+    end
 
     redirect_to namespace_project_group_links_path(project.namespace, project)
   end
diff --git a/spec/controllers/projects/group_links_controller_spec.rb b/spec/controllers/projects/group_links_controller_spec.rb
new file mode 100644
index 00000000000..40bd83af861
--- /dev/null
+++ b/spec/controllers/projects/group_links_controller_spec.rb
@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe Projects::GroupLinksController do
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:user) { create(:user) }
+
+  before do
+    project.team << [user, :master]
+    sign_in(user)
+  end
+
+  describe '#create' do
+    shared_context 'link project to group' do
+      before do
+        post(:create, namespace_id: project.namespace.to_param,
+                      project_id: project.to_param,
+                      link_group_id: group.id,
+                      link_group_access: ProjectGroupLink.default_access)
+      end
+    end
+
+    context 'when user has access to group he want to link project to' do
+      before { group.add_developer(user) }
+      include_context 'link project to group'
+
+      it 'links project with selected group' do
+        expect(group.shared_projects).to include project
+      end
+
+      it 'redirects to project group links page'do
+        expect(response).to redirect_to(
+          namespace_project_group_links_path(project.namespace, project)
+        )
+      end
+    end
+
+    context 'when user doers not have access to group he want to link to' do
+      include_context 'link project to group'
+
+      it 'renders 404' do
+        expect(response.status).to eq 404
+      end
+
+      it 'does not share project with that group' do
+        expect(group.shared_projects).to_not include project
+      end
+    end
+  end
+end