diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 62d46a5482eccf4a92690f6e4b09a34e004cfb80..a657d3c54eedd11241d74e12c319eeb4eeaa61a2 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -89,7 +89,7 @@ class ApplicationController < ActionController::Base
   end
 
   def after_sign_out_path_for(resource)
-    current_application_settings.after_sign_out_path || new_user_session_path 
+    current_application_settings.after_sign_out_path || new_user_session_path
   end
 
   def abilities
@@ -140,11 +140,6 @@ class ApplicationController < ActionController::Base
     return access_denied! unless can?(current_user, action, project)
   end
 
-  def authorize_labels!
-    # Labels should be accessible for issues and/or merge requests
-    authorize_read_issue! || authorize_read_merge_request!
-  end
-
   def access_denied!
     render "errors/access_denied", layout: "errors", status: 404
   end
diff --git a/app/controllers/projects/labels_controller.rb b/app/controllers/projects/labels_controller.rb
index 2f8cb203cf9e77259c9cec78d5ab4ea50e6cb026..86d6e3e0f6b5d47c1cb980e829205bd86450f555 100644
--- a/app/controllers/projects/labels_controller.rb
+++ b/app/controllers/projects/labels_controller.rb
@@ -1,7 +1,7 @@
 class Projects::LabelsController < Projects::ApplicationController
   before_action :module_enabled
   before_action :label, only: [:edit, :update, :destroy]
-  before_action :authorize_labels!
+  before_action :authorize_read_label!
   before_action :authorize_admin_labels!, except: [:index]
 
   respond_to :js, :html
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 4e6c60dc8ca08ca21507959bb914350740d5199f..bcd2adee00b511a97920514e95c7cfe69e2f8e05 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -138,6 +138,7 @@ class Ability
         :read_project,
         :read_wiki,
         :read_issue,
+        :read_label,
         :read_milestone,
         :read_project_snippet,
         :read_project_member,
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 186239d3096b6a548b41d8bf0348e446986f3380..55851befc8cb362c880912d345e5a5f49d902c6f 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -30,4 +30,44 @@ describe ApplicationController do
       controller.send(:check_password_expiration)
     end
   end
+
+  describe 'check labels authorization' do
+    let(:project) { create(:project) }
+    let(:user) { create(:user) }
+    let(:controller) { ApplicationController.new }
+
+    before do
+      project.team << [user, :guest]
+      allow(controller).to receive(:current_user).and_return(user)
+      allow(controller).to receive(:project).and_return(project)
+    end
+
+    it 'should succeed if issues and MRs are enabled' do
+      project.issues_enabled = true
+      project.merge_requests_enabled = true
+      controller.send(:authorize_read_label!)
+      expect(response.status).to eq(200)
+    end
+
+    it 'should succeed if issues are enabled, MRs are disabled' do
+      project.issues_enabled = true
+      project.merge_requests_enabled = false
+      controller.send(:authorize_read_label!)
+      expect(response.status).to eq(200)
+    end
+
+    it 'should succeed if issues are disabled, MRs are enabled' do
+      project.issues_enabled = false
+      project.merge_requests_enabled = true
+      controller.send(:authorize_read_label!)
+      expect(response.status).to eq(200)
+    end
+
+    it 'should fail if issues and MRs are disabled' do
+      project.issues_enabled = false
+      project.merge_requests_enabled = false
+      expect(controller).to receive(:access_denied!)
+      controller.send(:authorize_read_label!)
+    end
+  end
 end