diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb
index 57c54bf625a55ab758bf52f26aceeb40926f28cc..b5e314dced36829deb86609b71893c6cfaa9eca8 100644
--- a/app/controllers/projects/group_links_controller.rb
+++ b/app/controllers/projects/group_links_controller.rb
@@ -21,6 +21,7 @@ class Projects::GroupLinksController < Projects::ApplicationController
 
   def update
     @group_link = @project.project_group_links.find(params[:id])
+    return render_403 unless can?(current_user, action_member_permission(:admin, @group_link.group), @group_link.group)
 
     @group_link.update_attributes(group_link_params)
   end