diff --git a/app/models/project.rb b/app/models/project.rb
index 76dcff80bffa6c337fa25a4436e97ed8b4afd1d3..acea89c15261ec0cfe75c23a6249c72d068deff9 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -198,7 +198,7 @@ class Project < ActiveRecord::Base
     if: ->(project) { project.avatar.present? && project.avatar_changed? }
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
   validate :visibility_level_allowed_by_group
-  validate :visibility_level_allowed_as_fork
+  validate :visibility_level_allowed_as_fork, on: :update
 
   add_authentication_token_field :runners_token
   before_save :ensure_runners_token
@@ -974,7 +974,7 @@ class Project < ActiveRecord::Base
   def visibility_level_allowed_as_fork?(level = self.visibility_level)
     return true unless forked?
 
-    Gitlab::VisibilityLevel.allowed_fork_levels(forked_from_project.visibility_level).include?(level)
+    level <= forked_from_project.visibility_level
   end
 
   def visibility_level_allowed_by_group?(level = self.visibility_level)
diff --git a/app/services/groups/base_service.rb b/app/services/groups/base_service.rb
index 1642115583d89fcc32b481c9bf2069f377a423ee..a8fa098246a52ce058d2ec581826c71ec51b7a96 100644
--- a/app/services/groups/base_service.rb
+++ b/app/services/groups/base_service.rb
@@ -1,5 +1,5 @@
 module Groups
-  class BaseService < BaseService
+  class BaseService < ::BaseService
     attr_accessor :group, :current_user, :params
 
     def initialize(group, user, params = {})
diff --git a/lib/gitlab/visibility_level.rb b/lib/gitlab/visibility_level.rb
index 0a1f66b072675f350a3e7990d7d9498c74f3b87e..a1ee1cba216bcdb8cb55f25b376c7b795b102620 100644
--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -56,10 +56,6 @@ module Gitlab
         options.has_value?(level)
       end
 
-      def allowed_fork_levels(origin_level)
-        [PRIVATE, INTERNAL, PUBLIC].select{ |level| level <= origin_level }
-      end
-
       def level_name(level)
         level_name = 'Unknown'
         options.each do |name, lvl|
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index 53207767581e906005768c4e3313ea0beca51b35..dc324f1e60e0f99eea4b29c18f9777fa41e17356 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -11,16 +11,8 @@ describe ProjectsHelper do
 
   describe "can_change_visibility_level?" do
     let(:project) { create(:project) }
-
-    let(:fork_project) do
-      fork_project = create(:forked_project_with_submodules)
-      fork_project.build_forked_project_link(forked_to_project_id: fork_project.id, forked_from_project_id: project.id)
-      fork_project.save
-
-      fork_project
-    end
-
     let(:user) { create(:user) }
+    let(:fork_project) { Projects::ForkService.new(project, user).execute }
 
     it "returns false if there are no appropriate permissions" do
       allow(helper).to receive(:can?) { false }
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index 208922b5a8e00c07a263aaf22fad3c875f1b113a..68e213f48161935a20dcf689d851614505da5ee8 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -67,9 +67,9 @@ describe Group, models: true do
     end
 
     describe 'public_and_internal_only' do
-      subject { described_class.public_and_internal_only.to_a }
+      subject { described_class.public_and_internal_only.to_a.sort }
 
-      it{ is_expected.to eq([group, internal_group]) }
+      it{ is_expected.to eq([group, internal_group].sort) }
     end
   end
 
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
index 7732482cdaa3b9055e8afd15cea4da5da57a311a..9c2331144a04d09d674d6b7f6c19ec7d53f4fa75 100644
--- a/spec/services/groups/update_service_spec.rb
+++ b/spec/services/groups/update_service_spec.rb
@@ -16,8 +16,9 @@ describe Groups::UpdateService, services: true do
           create(:project, :public, group: public_group)
         end
 
-        it "cant downgrade permission level" do
-          expect(public_group.errors.count).to eq(2)
+        it "does not change permission level" do
+          service.execute
+          expect(public_group.errors.count).to eq(1)
         end
       end
 
@@ -29,8 +30,9 @@ describe Groups::UpdateService, services: true do
           create(:project, :internal, group: internal_group)
         end
 
-        it "cant downgrade permission level" do
-          expect(internal_group.errors.count).to eq(2)
+        it "does not change permission level" do
+          service.execute
+          expect(internal_group.errors.count).to eq(1)
         end
       end
     end
@@ -43,6 +45,7 @@ describe Groups::UpdateService, services: true do
     end
 
     it "does not change permission level" do
+      service.execute
       expect(internal_group.errors.count).to eq(1)
     end
   end