diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 3574ecf2811f9277e5b6807cc52faa68fb0a7656..7b4c39cdb8f0f94d50f6d929d630ca285cae7cb8 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -21,7 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController
 
   def update
     @group_link = @project.project_group_links.find(params[:id])
-    return render_403 unless can?(current_user, :admin_group, @group_link.group)
+    return render_403 unless can?(current_user, :admin_project_member, @project)
 
     @group_link.update_attributes(group_link_params)
   end
diff --git a/app/views/shared/members/_group.html.haml b/app/views/shared/members/_group.html.haml
index 19b58ef20ae6ac0e725efd494e41d1e456271347..56d31a949ff16807af3ac0659f8722209562effa 100644
--- a/app/views/shared/members/_group.html.haml
+++ b/app/views/shared/members/_group.html.haml
@@ -13,11 +13,11 @@
           Expires in #{distance_of_time_in_words_to_now(group_link.expires_at)}
   .controls.member-controls
     = form_tag namespace_project_group_link_path(@project.namespace, @project, group_link), method: :put, remote: true, class: 'form-horizontal js-edit-member-form' do
-      = select_tag 'group_link[group_access]', options_for_select(ProjectGroupLink.access_options, group_link.group_access), class: 'form-control member-form-control append-right-5 js-member-update-control', id: "member_access_level_#{group.id}", disabled: !can?(current_user, action_member_permission(:admin, group), group)
+      = select_tag 'group_link[group_access]', options_for_select(ProjectGroupLink.access_options, group_link.group_access), class: 'form-control member-form-control append-right-5 js-member-update-control', id: "member_access_level_#{group.id}", disabled: !can?(current_user, :admin_project_member, @project)
       .prepend-left-5.clearable-input.member-form-control
-        = text_field_tag 'group_link[expires_at]', group_link.expires_at, class: 'form-control js-access-expiration-date js-member-update-control', placeholder: 'Expiration date', id: "member_expires_at_#{group.id}", disabled: !can?(current_user, action_member_permission(:admin, group), group)
+        = text_field_tag 'group_link[expires_at]', group_link.expires_at, class: 'form-control js-access-expiration-date js-member-update-control', placeholder: 'Expiration date', id: "member_expires_at_#{group.id}", disabled: !can?(current_user, :admin_project_member, @project)
         %i.clear-icon.js-clear-input
-    - if can?(current_user, action_member_permission(:admin, group), group)
+    - if can?(current_user, :admin_project_member, @project)
       = link_to namespace_project_group_link_path(@project.namespace, @project, group_link),
         remote: true,
         method: :delete,
diff --git a/spec/features/projects/members/group_links_spec.rb b/spec/features/projects/members/group_links_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..3d59df201974da96bd6ee41dad460d451d7f2816
--- /dev/null
+++ b/spec/features/projects/members/group_links_spec.rb
@@ -0,0 +1,37 @@
+require 'spec_helper'
+
+feature 'Projects > Members > Anonymous user sees members', feature: true, js: true do
+  include WaitForAjax
+
+  let(:user) { create(:user) }
+  let(:group) { create(:group, :public) }
+  let(:project) { create(:empty_project, :public) }
+
+  background do
+    project.team << [user, :master]
+    @group_link = create(:project_group_link, project: project, group: group)
+
+    login_as(user)
+    visit namespace_project_project_members_path(project.namespace, project)
+  end
+
+  it 'updates group access level' do
+    select 'Guest', from: "member_access_level_#{group.id}"
+    wait_for_ajax
+
+    visit namespace_project_project_members_path(project.namespace, project)
+
+    expect(page).to have_select("member_access_level_#{group.id}", selected: 'Guest')
+  end
+
+  it 'updates expiry date' do
+    tomorrow = Date.today + 3
+
+    fill_in "member_expires_at_#{group.id}", with: tomorrow.strftime("%F")
+    wait_for_ajax
+
+    page.within(first('li.member')) do
+      expect(page).to have_content('Expires in 3 days')
+    end
+  end
+end