Merge branch 'issue_12658' into 'master'

Add group visibility level

Supersedes https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/3051

Closes #12658

See merge request !3323

101 files changed, 1538 insertions, 977 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index 284964e7ec8..16c09ab6e6d 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1064,6 +1064,3 @@ DEPENDENCIES
   web-console (~> 2.0)
   webmock (~> 1.21.0)
   wikicloth (= 0.8.1)
-
-BUNDLED WITH
-   1.11.2
diff --git a/app/assets/stylesheets/framework/blocks.scss b/app/assets/stylesheets/framework/blocks.scss
index e19c4141328..62b2af0dbf7 100644
--- a/app/assets/stylesheets/framework/blocks.scss
+++ b/app/assets/stylesheets/framework/blocks.scss
@@ -111,6 +111,24 @@
     color: #4c4e54;
     font-size: 23px;
     line-height: 1.1;
+
+    h1 {
+      color: #313236;
+      margin-bottom: 6px;
+      font-size: 23px;
+    }
+
+    .visibility-icon {
+      display: inline-block;
+      margin-left: 5px;
+      font-size: 18px;
+      color: $gray;
+    }
+
+    p {
+      padding: 0 $gl-padding;
+      color: #5c5d5e;
+    }
   }
 
   .cover-desc {
diff --git a/app/assets/stylesheets/pages/projects.scss b/app/assets/stylesheets/pages/projects.scss
index 8db97ef5208..c68bd673a67 100644
--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@@ -68,28 +68,6 @@
     }
   }
 
-  .project-home-desc {
-    h1 {
-      color: #313236;
-      margin: 0;
-      margin-bottom: 6px;
-      font-size: 23px;
-      font-weight: normal;
-    }
-
-    .visibility-icon {
-      display: inline-block;
-      margin-left: 5px;
-      font-size: 18px;
-      color: $gray;
-    }
-
-    p {
-      padding: 0 $gl-padding;
-      color: #5c5d5e;
-    }
-  }
-
   .project-repo-buttons {
     margin-top: 20px;
     margin-bottom: 0;
diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index 04a99d8c84a..ed9f6031389 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -61,6 +61,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       :session_expire_delay,
       :default_project_visibility,
       :default_snippet_visibility,
+      :default_group_visibility,
       :restricted_signup_domains_raw,
       :version_check_enabled,
       :admin_notification_email,
diff --git a/app/controllers/admin/groups_controller.rb b/app/controllers/admin/groups_controller.rb
index b2b817e64f9..a6db4690df0 100644
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -59,6 +59,6 @@ class Admin::GroupsController < Admin::ApplicationController
   end
 
   def group_params
-    params.require(:group).permit(:name, :description, :path, :avatar)
+    params.require(:group).permit(:name, :description, :path, :avatar, :visibility_level)
   end
 end
diff --git a/app/controllers/admin/projects_controller.rb b/app/controllers/admin/projects_controller.rb
index 4a6edafdeec..4089091d569 100644
--- a/app/controllers/admin/projects_controller.rb
+++ b/app/controllers/admin/projects_controller.rb
@@ -1,7 +1,6 @@
 class Admin::ProjectsController < Admin::ApplicationController
   before_action :project, only: [:show, :transfer]
   before_action :group, only: [:show, :transfer]
-  before_action :repository, only: [:show, :transfer]
 
   def index
     @projects = Project.all
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index de7d323907a..c81cb85dc1b 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -23,7 +23,6 @@ class ApplicationController < ActionController::Base
 
   helper_method :abilities, :can?, :current_application_settings
   helper_method :import_sources_enabled?, :github_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :gitorious_import_enabled?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?
-  helper_method :repository, :can_collaborate_with_project?
 
   rescue_from Encoding::CompatibilityError do |exception|
     log_exception(exception)
@@ -116,47 +115,6 @@ class ApplicationController < ActionController::Base
     abilities.allowed?(object, action, subject)
   end
 
-  def project
-    unless @project
-      namespace = params[:namespace_id]
-      id = params[:project_id] || params[:id]
-
-      # Redirect from
-      #   localhost/group/project.git
-      # to
-      #   localhost/group/project
-      #
-      if id =~ /\.git\Z/
-        redirect_to request.original_url.gsub(/\.git\/?\Z/, '') and return
-      end
-
-      project_path = "#{namespace}/#{id}"
-      @project = Project.find_with_namespace(project_path)
-
-      if @project and can?(current_user, :read_project, @project)
-        if @project.path_with_namespace != project_path
-          redirect_to request.original_url.gsub(project_path, @project.path_with_namespace) and return
-        end
-        @project
-      elsif current_user.nil?
-        @project = nil
-        authenticate_user!
-      else
-        @project = nil
-        render_404 and return
-      end
-    end
-    @project
-  end
-
-  def repository
-    @repository ||= project.repository
-  end
-
-  def authorize_project!(action)
-    return access_denied! unless can?(current_user, action, project)
-  end
-
   def access_denied!
     render "errors/access_denied", layout: "errors", status: 404
   end
@@ -165,14 +123,6 @@ class ApplicationController < ActionController::Base
     render "errors/git_not_found.html", layout: "errors", status: 404
   end
 
-  def method_missing(method_sym, *arguments, &block)
-    if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
-      authorize_project!($1.to_sym)
-    else
-      super
-    end
-  end
-
   def render_403
     head :forbidden
   end
@@ -181,10 +131,6 @@ class ApplicationController < ActionController::Base
     render file: Rails.root.join("public", "404"), layout: false, status: "404"
   end
 
-  def require_non_empty_project
-    redirect_to @project if @project.empty_repo?
-  end
-
   def no_cache_headers
     response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
     response.headers["Pragma"] = "no-cache"
@@ -410,13 +356,6 @@ class ApplicationController < ActionController::Base
     current_user.nil? && root_path == request.path
   end
 
-  def can_collaborate_with_project?(project = nil)
-    project ||= @project
-
-    can?(current_user, :push_code, project) ||
-      (current_user && current_user.already_forked?(project))
-  end
-
   private
 
   def set_default_sort
diff --git a/app/controllers/explore/groups_controller.rb b/app/controllers/explore/groups_controller.rb
index 2580f15c432..a962f9a0937 100644
--- a/app/controllers/explore/groups_controller.rb
+++ b/app/controllers/explore/groups_controller.rb
@@ -1,6 +1,6 @@
 class Explore::GroupsController < Explore::ApplicationController
   def index
-    @groups = Group.order_id_desc
+    @groups = GroupsFinder.new.execute(current_user)
     @groups = @groups.search(params[:search]) if params[:search].present?
     @groups = @groups.sort(@sort = params[:sort])
     @groups = @groups.page(params[:page])
diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index be801858eaf..949b4a6c25a 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -1,21 +1,32 @@
 class Groups::ApplicationController < ApplicationController
   layout 'group'
+
+  skip_before_action :authenticate_user!
   before_action :group
 
   private
 
   def group
-    @group ||= Group.find_by(path: params[:group_id])
-  end
+    unless @group
+      id = params[:group_id] || params[:id]
+      @group = Group.find_by(path: id)
+
+      unless @group && can?(current_user, :read_group, @group)
+        @group = nil
 
-  def authorize_read_group!
-    unless @group and can?(current_user, :read_group, @group)
-      if current_user.nil?
-        return authenticate_user!
-      else
-        return render_404
+        if current_user.nil?
+          authenticate_user!
+        else
+          render_404
+        end
       end
     end
+
+    @group
+  end
+
+  def group_projects
+    @projects ||= GroupProjectsFinder.new(group).execute(current_user)
   end
 
   def authorize_admin_group!
diff --git a/app/controllers/groups/avatars_controller.rb b/app/controllers/groups/avatars_controller.rb
index 76c87366baa..ad2c20b42db 100644
--- a/app/controllers/groups/avatars_controller.rb
+++ b/app/controllers/groups/avatars_controller.rb
@@ -1,4 +1,6 @@
 class Groups::AvatarsController < Groups::ApplicationController
+  before_action :authorize_admin_group!
+
   def destroy
     @group.remove_avatar!
     @group.save
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 0e902c4bb43..d5ef33888c6 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -1,8 +1,5 @@
 class Groups::GroupMembersController < Groups::ApplicationController
-  skip_before_action :authenticate_user!, only: [:index]
-
   # Authorize
-  before_action :authorize_read_group!
   before_action :authorize_admin_group_member!, except: [:index, :leave]
 
   def index
diff --git a/app/controllers/groups/milestones_controller.rb b/app/controllers/groups/milestones_controller.rb
index 0c2a350bc39..0028f072d5b 100644
--- a/app/controllers/groups/milestones_controller.rb
+++ b/app/controllers/groups/milestones_controller.rb
@@ -1,10 +1,10 @@
 class Groups::MilestonesController < Groups::ApplicationController
   include GlobalMilestones
 
-  before_action :projects
+  before_action :group_projects
   before_action :milestones, only: [:index]
   before_action :milestone, only: [:show, :update]
-  before_action :authorize_group_milestone!, only: [:create, :update]
+  before_action :authorize_admin_milestones!, only: [:new, :create, :update]
 
   def index
   end
@@ -17,7 +17,7 @@ class Groups::MilestonesController < Groups::ApplicationController
     project_ids = params[:milestone][:project_ids]
     title = milestone_params[:title]
 
-    @group.projects.where(id: project_ids).each do |project|
+    @projects.where(id: project_ids).each do |project|
       Milestones::CreateService.new(project, current_user, milestone_params).execute
     end
 
@@ -37,7 +37,7 @@ class Groups::MilestonesController < Groups::ApplicationController
 
   private
 
-  def authorize_group_milestone!
+  def authorize_admin_milestones!
     return render_404 unless can?(current_user, :admin_milestones, group)
   end
 
@@ -48,8 +48,4 @@ class Groups::MilestonesController < Groups::ApplicationController
   def milestone_path(title)
     group_milestone_path(@group, title.to_slug.to_s, title: title)
   end
-
-  def projects
-    @projects ||= @group.projects
-  end
 end
diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 5f9844104b8..c1adc999567 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -5,16 +5,15 @@ class GroupsController < Groups::ApplicationController
 
   respond_to :html
 
-  skip_before_action :authenticate_user!, only: [:index, :show, :issues, :merge_requests]
+  before_action :authenticate_user!, only: [:new, :create]
   before_action :group, except: [:index, :new, :create]
 
   # Authorize
-  before_action :authorize_read_group!, except: [:index, :show, :new, :create, :autocomplete]
   before_action :authorize_admin_group!, only: [:edit, :update, :destroy, :projects]
   before_action :authorize_create_group!, only: [:new, :create]
 
   # Load group projects
-  before_action :load_projects, except: [:index, :new, :create, :projects, :edit, :update, :autocomplete]
+  before_action :group_projects, only: [:show, :projects, :activity, :issues, :merge_requests]
   before_action :event_filter, only: [:activity]
 
   layout :determine_layout
@@ -28,11 +27,9 @@ class GroupsController < Groups::ApplicationController
   end
 
   def create
-    @group = Group.new(group_params)
-    @group.name = @group.path.dup unless @group.name
+    @group = Groups::CreateService.new(current_user, group_params).execute
 
-    if @group.save
-      @group.add_owner(current_user)
+    if @group.persisted?
       redirect_to @group, notice: "Group '#{@group.name}' was successfully created."
     else
       render action: "new"
@@ -41,12 +38,13 @@ class GroupsController < Groups::ApplicationController
 
   def show
     @last_push = current_user.recent_push if current_user
+
     @projects = @projects.includes(:namespace)
     @projects = filter_projects(@projects)
     @projects = @projects.sort(@sort = params[:sort])
     @projects = @projects.page(params[:page]) if params[:filter_projects].blank?
 
-    @shared_projects = @group.shared_projects
+    @shared_projects = GroupProjectsFinder.new(group, only_shared: true).execute(current_user)
 
     respond_to do |format|
       format.html
@@ -83,7 +81,7 @@ class GroupsController < Groups::ApplicationController
   end
 
   def update
-    if @group.update_attributes(group_params)
+    if Groups::UpdateService.new(@group, current_user, group_params).execute
       redirect_to edit_group_path(@group), notice: "Group '#{@group.name}' was successfully updated."
     else
       render action: "edit"
@@ -98,26 +96,6 @@ class GroupsController < Groups::ApplicationController
 
   protected
 
-  def group
-    @group ||= Group.find_by(path: params[:id])
-    @group || render_404
-  end
-
-  def load_projects
-    @projects ||= ProjectsFinder.new.execute(current_user, group: group).sorted_by_activity
-  end
-
-  # Dont allow unauthorized access to group
-  def authorize_read_group!
-    unless @group and (@projects.present? or can?(current_user, :read_group, @group))
-      if current_user.nil?
-        return authenticate_user!
-      else
-        return render_404
-      end
-    end
-  end
-
   def authorize_create_group!
     unless can?(current_user, :create_group, nil)
       return render_404
@@ -135,7 +113,7 @@ class GroupsController < Groups::ApplicationController
   end
 
   def group_params
-    params.require(:group).permit(:name, :description, :path, :avatar, :public, :share_with_group_lock)
+    params.require(:group).permit(:name, :description, :path, :avatar, :public, :visibility_level, :share_with_group_lock)
   end
 
   def load_events
diff --git a/app/controllers/namespaces_controller.rb b/app/controllers/namespaces_controller.rb
index 282012c60a1..5a94dcb0dbd 100644
--- a/app/controllers/namespaces_controller.rb
+++ b/app/controllers/namespaces_controller.rb
@@ -14,7 +14,7 @@ class NamespacesController < ApplicationController
 
     if user
       redirect_to user_path(user)
-    elsif group
+    elsif group && can?(current_user, :read_group, namespace)
       redirect_to group_path(group)
     elsif current_user.nil?
       authenticate_user!
diff --git a/app/controllers/projects/application_controller.rb b/app/controllers/projects/application_controller.rb
index a326bc58215..657ee94cfd7 100644
--- a/app/controllers/projects/application_controller.rb
+++ b/app/controllers/projects/application_controller.rb
@@ -1,20 +1,74 @@
 class Projects::ApplicationController < ApplicationController
+  skip_before_action :authenticate_user!
   before_action :project
   before_action :repository
   layout 'project'
 
-  def authenticate_user!
-    # Restrict access to Projects area only
-    # for non-signed users
-    if !current_user
+  helper_method :repository, :can_collaborate_with_project?
+
+  private
+
+  def project
+    unless @project
+      namespace = params[:namespace_id]
       id = params[:project_id] || params[:id]
-      project_with_namespace = "#{params[:namespace_id]}/#{id}"
-      @project = Project.find_with_namespace(project_with_namespace)
 
-      return if @project && @project.public?
+      # Redirect from
+      #   localhost/group/project.git
+      # to
+      #   localhost/group/project
+      #
+      if id =~ /\.git\Z/
+        redirect_to request.original_url.gsub(/\.git\/?\Z/, '')
+        return
+      end
+
+      project_path = "#{namespace}/#{id}"
+      @project = Project.find_with_namespace(project_path)
+
+      if @project && can?(current_user, :read_project, @project)
+        if @project.path_with_namespace != project_path
+          redirect_to request.original_url.gsub(project_path, @project.path_with_namespace)
+        end
+      else
+        @project = nil
+
+        if current_user.nil?
+          authenticate_user!
+        else
+          render_404
+        end
+      end
+    end
+
+    @project
+  end
+
+  def repository
+    @repository ||= project.repository
+  end
+
+  def can_collaborate_with_project?(project = nil)
+    project ||= @project
+
+    can?(current_user, :push_code, project) ||
+      (current_user && current_user.already_forked?(project))
+  end
+
+  def authorize_project!(action)
+    return access_denied! unless can?(current_user, action, project)
+  end
+
+  def method_missing(method_sym, *arguments, &block)
+    if method_sym.to_s =~ /\Aauthorize_(.*)!\z/
+      authorize_project!($1.to_sym)
+    else
+      super
     end
+  end
 
-    super
+  def require_non_empty_project
+    redirect_to namespace_project_path(@project.namespace, @project) if @project.empty_repo?
   end
 
   def require_branch_head
@@ -26,8 +80,6 @@ class Projects::ApplicationController < ApplicationController
     end
   end
 
-  private
-
   def apply_diff_view_cookie!
     view = params[:view] || cookies[:diff_view]
     cookies.permanent[:diff_view] = params[:view] = view if view
diff --git a/app/controllers/projects/avatars_controller.rb b/app/controllers/projects/avatars_controller.rb
index a6bebc46b06..72921b3aa14 100644
--- a/app/controllers/projects/avatars_controller.rb
+++ b/app/controllers/projects/avatars_controller.rb
@@ -1,7 +1,7 @@
 class Projects::AvatarsController < Projects::ApplicationController
   include BlobHelper
 
-  before_action :project
+  before_action :authorize_admin_project!, only: [:destroy]
 
   def show
     @blob = @repository.blob_at_branch('master', @project.avatar_in_git)
diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb
index e1fe7ea2114..caed064dfbc 100644
--- a/app/controllers/projects/uploads_controller.rb
+++ b/app/controllers/projects/uploads_controller.rb
@@ -1,7 +1,9 @@
 class Projects::UploadsController < Projects::ApplicationController
-  skip_before_action :authenticate_user!, :reject_blocked!, :project,
+  skip_before_action :reject_blocked!, :project,
     :repository, if: -> { action_name == 'show' && image? }
 
+  before_action :authorize_upload_file!, only: [:create]
+
   def create
     link_to_file = ::Projects::UploadService.new(project, params[:file]).
       execute
@@ -26,6 +28,8 @@ class Projects::UploadsController < Projects::ApplicationController
     send_file uploader.file.path, disposition: disposition
   end
 
+  private
+
   def uploader
     return @uploader if defined?(@uploader)
 
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index c9930480770..928817ba811 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -1,7 +1,7 @@
-class ProjectsController < ApplicationController
+class ProjectsController < Projects::ApplicationController
   include ExtractsPath
 
-  skip_before_action :authenticate_user!, only: [:show, :activity]
+  before_action :authenticate_user!, except: [:show, :activity]
   before_action :project, except: [:new, :create]
   before_action :repository, except: [:new, :create]
   before_action :assign_ref_vars, :tree, only: [:show], if: :repo_exists?
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 169bef670aa..8e7956da48f 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -108,7 +108,7 @@ class UsersController < ApplicationController
   end
 
   def load_groups
-    @groups = @user.groups.order_id_desc
+    @groups = JoinedGroupsFinder.new(@user).execute(current_user)
   end
 
   def projects_for_current_user
diff --git a/app/finders/contributed_projects_finder.rb b/app/finders/contributed_projects_finder.rb
index 0209649b017..a685719555c 100644
--- a/app/finders/contributed_projects_finder.rb
+++ b/app/finders/contributed_projects_finder.rb
@@ -1,4 +1,4 @@
-class ContributedProjectsFinder
+class ContributedProjectsFinder < UnionFinder
   def initialize(user)
     @user = user
   end
@@ -11,27 +11,19 @@ class ContributedProjectsFinder
   #
   # Returns an ActiveRecord::Relation.
   def execute(current_user = nil)
-    if current_user
-      relation = projects_visible_to_user(current_user)
-    else
-      relation = public_projects
-    end
+    segments = all_projects(current_user)
 
-    relation.includes(:namespace).order_id_desc
+    find_union(segments, Project).includes(:namespace).order_id_desc
   end
 
   private
 
-  def projects_visible_to_user(current_user)
-    authorized = @user.contributed_projects.visible_to_user(current_user)
+  def all_projects(current_user)
+    projects = []
 
-    union = Gitlab::SQL::Union.
-      new([authorized.select(:id), public_projects.select(:id)])
+    projects << @user.contributed_projects.visible_to_user(current_user) if current_user
+    projects << @user.contributed_projects.public_to_user(current_user)
 
-    Project.where("projects.id IN (#{union.to_sql})")
-  end
-
-  def public_projects
-    @user.contributed_projects.public_only
+    projects
   end
 end
diff --git a/app/finders/group_projects_finder.rb b/app/finders/group_projects_finder.rb
new file mode 100644
index 00000000000..3b9a421b118
--- /dev/null
+++ b/app/finders/group_projects_finder.rb
@@ -0,0 +1,42 @@
+class GroupProjectsFinder < UnionFinder
+  def initialize(group, options = {})
+    @group   = group
+    @options = options
+  end
+
+  def execute(current_user = nil)
+    segments = group_projects(current_user)
+    find_union(segments, Project)
+  end
+
+  private
+
+  def group_projects(current_user)
+    only_owned  = @options.fetch(:only_owned, false)
+    only_shared = @options.fetch(:only_shared, false)
+
+    projects = []
+
+    if current_user
+      if @group.users.include?(current_user)
+        projects << @group.projects unless only_shared
+        projects << @group.shared_projects unless only_owned
+      else
+        unless only_shared
+          projects << @group.projects.visible_to_user(current_user)
+          projects << @group.projects.public_to_user(current_user)
+        end
+
+        unless only_owned
+          projects << @group.shared_projects.visible_to_user(current_user)
+          projects << @group.shared_projects.public_to_user(current_user)
+        end
+      end
+    else
+      projects << @group.projects.public_only unless only_shared
+      projects << @group.shared_projects.public_only unless only_owned
+    end
+
+    projects
+  end
+end
diff --git a/app/finders/groups_finder.rb b/app/finders/groups_finder.rb
new file mode 100644
index 00000000000..4e43f42e9e1
--- /dev/null
+++ b/app/finders/groups_finder.rb
@@ -0,0 +1,18 @@
+class GroupsFinder < UnionFinder
+  def execute(current_user = nil)
+    segments = all_groups(current_user)
+
+    find_union(segments, Group).order_id_desc
+  end
+
+  private
+
+  def all_groups(current_user)
+    groups = []
+
+    groups << current_user.authorized_groups if current_user
+    groups << Group.unscoped.public_to_user(current_user)
+
+    groups
+  end
+end
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index 19e8c7a92be..046286dd9e1 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -80,9 +80,10 @@ class IssuableFinder
       @projects = project
     elsif current_user && params[:authorized_only].presence && !current_user_related?
       @projects = current_user.authorized_projects.reorder(nil)
+    elsif group
+      @projects = GroupProjectsFinder.new(group).execute(current_user).reorder(nil)
     else
-      @projects = ProjectsFinder.new.execute(current_user, group: group).
-        reorder(nil)
+      @projects = ProjectsFinder.new.execute(current_user).reorder(nil)
     end
   end
 
@@ -171,14 +172,12 @@ class IssuableFinder
 
   def by_scope(items)
     case params[:scope]
-    when 'created-by-me', 'authored' then
+    when 'created-by-me', 'authored'
       items.where(author_id: current_user.id)
-    when 'all' then
-      items
-    when 'assigned-to-me' then
+    when 'assigned-to-me'
       items.where(assignee_id: current_user.id)
     else
-      raise 'You must specify default scope'
+      items
     end
   end
 
@@ -198,8 +197,7 @@ class IssuableFinder
   end
 
   def by_group(items)
-    items = items.of_group(group) if group
-
+    # Selection by group is already covered by `by_project` and `projects`
     items
   end
 
diff --git a/app/finders/joined_groups_finder.rb b/app/finders/joined_groups_finder.rb
new file mode 100644
index 00000000000..47174980258
--- /dev/null
+++ b/app/finders/joined_groups_finder.rb
@@ -0,0 +1,24 @@
+class JoinedGroupsFinder < UnionFinder
+  def initialize(user)
+    @user = user
+  end
+
+  # Finds the groups of the source user, optionally limited to those visible to
+  # the current user.
+  def execute(current_user = nil)
+    segments = all_groups(current_user)
+
+    find_union(segments, Group).order_id_desc
+  end
+
+  private
+
+  def all_groups(current_user)
+    groups = []
+
+    groups << @user.authorized_groups.visible_to_user(current_user) if current_user
+    groups << @user.authorized_groups.public_to_user(current_user)
+
+    groups
+  end
+end
diff --git a/app/finders/personal_projects_finder.rb b/app/finders/personal_projects_finder.rb
index a61ffa22990..3ad4bd5f066 100644
--- a/app/finders/personal_projects_finder.rb
+++ b/app/finders/personal_projects_finder.rb
@@ -1,4 +1,4 @@
-class PersonalProjectsFinder
+class PersonalProjectsFinder < UnionFinder
   def initialize(user)
     @user = user
   end
@@ -11,31 +11,19 @@ class PersonalProjectsFinder
   #
   # Returns an ActiveRecord::Relation.
   def execute(current_user = nil)
-    if current_user
-      relation = projects_visible_to_user(current_user)
-    else
-      relation = public_projects
-    end
+    segments = all_projects(current_user)
 
-    relation.includes(:namespace).order_id_desc
+    find_union(segments, Project).includes(:namespace).order_id_desc
   end
 
   private
 
-  def projects_visible_to_user(current_user)
-    authorized = @user.personal_projects.visible_to_user(current_user)
+  def all_projects(current_user)
+    projects = []
 
-    union = Gitlab::SQL::Union.
-      new([authorized.select(:id), public_and_internal_projects.select(:id)])
+    projects << @user.personal_projects.visible_to_user(current_user) if current_user
+    projects << @user.personal_projects.public_to_user(current_user)
 
-    Project.where("projects.id IN (#{union.to_sql})")
-  end
-
-  def public_projects
-    @user.personal_projects.public_only
-  end
-
-  def public_and_internal_projects
-    @user.personal_projects.public_and_internal_only
+    projects
   end
 end
diff --git a/app/finders/projects_finder.rb b/app/finders/projects_finder.rb
index 3a5fc5b5907..2f0a9659d15 100644
--- a/app/finders/projects_finder.rb
+++ b/app/finders/projects_finder.rb
@@ -1,81 +1,18 @@
-class ProjectsFinder
-  # Returns all projects, optionally including group projects a user has access
-  # to.
-  #
-  # ## Examples
-  #
-  # Retrieving all public projects:
-  #
-  #     ProjectsFinder.new.execute
-  #
-  # Retrieving all public/internal projects and those the given user has access
-  # to:
-  #
-  #     ProjectsFinder.new.execute(some_user)
-  #
-  # Retrieving all public/internal projects as well as the group's projects the
-  # user has access to:
-  #
-  #     ProjectsFinder.new.execute(some_user, group: some_group)
-  #
-  # Returns an ActiveRecord::Relation.
+class ProjectsFinder < UnionFinder
   def execute(current_user = nil, options = {})
-    group = options[:group]
+    segments = all_projects(current_user)
 
-    if group
-      segments = group_projects(current_user, group)
-    else
-      segments = all_projects(current_user)
-    end
-
-    if segments.length > 1
-      union = Gitlab::SQL::Union.new(segments.map { |s| s.select(:id) })
-
-      Project.where("projects.id IN (#{union.to_sql})")
-    else
-      segments.first
-    end
+    find_union(segments, Project)
   end
 
   private
 
-  def group_projects(current_user, group)
-    return [group.projects.public_only] unless current_user
-
-    user_group_projects = [
-       group_projects_for_user(current_user, group),
-       group.shared_projects.visible_to_user(current_user)
-    ]
-    if current_user.external?
-      user_group_projects << group.projects.public_only
-    else
-      user_group_projects << group.projects.public_and_internal_only
-    end
-  end
-
   def all_projects(current_user)
-    return [public_projects] unless current_user
+    projects = []
 
-    if current_user.external?
-      [current_user.authorized_projects, public_projects]
-    else
-      [current_user.authorized_projects, public_and_internal_projects]
-    end
-  end
-
-  def group_projects_for_user(current_user, group)
-    if group.users.include?(current_user)
-      group.projects
-    else
-      group.projects.visible_to_user(current_user)
-    end
-  end
-
-  def public_projects
-    Project.unscoped.public_only
-  end
+    projects << current_user.authorized_projects if current_user
+    projects << Project.unscoped.public_to_user(current_user)
 
-  def public_and_internal_projects
-    Project.unscoped.public_and_internal_only
+    projects
   end
 end
diff --git a/app/finders/union_finder.rb b/app/finders/union_finder.rb
new file mode 100644
index 00000000000..33cd1a491f3
--- /dev/null
+++ b/app/finders/union_finder.rb
@@ -0,0 +1,11 @@
+class UnionFinder
+  def find_union(segments, klass)
+    if segments.length > 1
+      union = Gitlab::SQL::Union.new(segments.map { |s| s.select(:id) })
+
+      klass.where("#{klass.table_name}.id IN (#{union.to_sql})")
+    else
+      segments.first
+    end
+  end
+end
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 1d36969cd62..b1f0a765bb9 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -19,6 +19,10 @@ module GroupsHelper
     end
   end
 
+  def can_change_group_visibility_level?(group)
+    can?(current_user, :change_visibility_level, group)
+  end
+
   def group_icon(group)
     if group.is_a?(String)
       group = Group.find_by(path: group)
diff --git a/app/helpers/visibility_level_helper.rb b/app/helpers/visibility_level_helper.rb
index 71d33b445c2..3a83ae15dd8 100644
--- a/app/helpers/visibility_level_helper.rb
+++ b/app/helpers/visibility_level_helper.rb
@@ -19,6 +19,8 @@ module VisibilityLevelHelper
     case form_model
     when Project
       project_visibility_level_description(level)
+    when Group
+      group_visibility_level_description(level)
     when Snippet
       snippet_visibility_level_description(level, form_model)
     end
@@ -35,6 +37,17 @@ module VisibilityLevelHelper
     end
   end
 
+  def group_visibility_level_description(level)
+    case level
+    when Gitlab::VisibilityLevel::PRIVATE
+      "The group and its projects can only be viewed by members."
+    when Gitlab::VisibilityLevel::INTERNAL
+      "The group and any internal projects can be viewed by any logged in user."
+    when Gitlab::VisibilityLevel::PUBLIC
+      "The group and any public projects can be viewed without any authentication."
+    end
+  end
+
   def snippet_visibility_level_description(level, snippet = nil)
     case level
     when Gitlab::VisibilityLevel::PRIVATE
@@ -50,6 +63,23 @@ module VisibilityLevelHelper
     end
   end
 
+  def visibility_icon_description(form_model)
+    case form_model
+    when Project
+      project_visibility_icon_description(form_model.visibility_level)
+    when Group
+      group_visibility_icon_description(form_model.visibility_level)
+    end
+  end
+
+  def group_visibility_icon_description(level)
+    "#{visibility_level_label(level)} - #{group_visibility_level_description(level)}"
+  end
+
+  def project_visibility_icon_description(level)
+    "#{visibility_level_label(level)} - #{project_visibility_level_description(level)}"
+  end
+
   def visibility_level_label(level)
     Project.visibility_levels.key(level)
   end
@@ -67,8 +97,11 @@ module VisibilityLevelHelper
     current_application_settings.default_snippet_visibility
   end
 
+  def default_group_visibility
+    current_application_settings.default_group_visibility
+  end
+
   def skip_level?(form_model, level)
-    form_model.is_a?(Project) &&
-    !form_model.visibility_level_allowed?(level)
+    form_model.is_a?(Project) && !form_model.visibility_level_allowed?(level)
   end
 end
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 40c529e8117..fa2345f6faa 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -85,7 +85,7 @@ class Ability
                 subject.group
               end
 
-      if group && group.projects.public_only.any?
+      if group && group.public?
         [:read_group]
       else
         []
@@ -114,6 +114,13 @@ class Ability
         # Push abilities on the users team role
         rules.push(*project_team_rules(project.team, user))
 
+        if project.owner == user ||
+          (project.group && project.group.has_owner?(user)) ||
+          user.admin?
+
+          rules.push(*project_owner_rules)
+        end
+
         if project.public? || (project.internal? && !user.external?)
           rules.push(*public_project_rules)
 
@@ -121,14 +128,6 @@ class Ability
           rules << :read_build if project.public_builds?
         end
 
-        if project.owner == user || user.admin?
-          rules.push(*project_admin_rules)
-        end
-
-        if project.group && project.group.has_owner?(user)
-          rules.push(*project_admin_rules)
-        end
-
         if project.archived?
           rules -= project_archived_rules
         end
@@ -171,7 +170,8 @@ class Ability
         :read_note,
         :create_project,
         :create_issue,
-        :create_note
+        :create_note,
+        :upload_file
       ]
     end
 
@@ -228,8 +228,8 @@ class Ability
       ]
     end
 
-    def project_admin_rules
-      @project_admin_rules ||= project_master_rules + [
+    def project_owner_rules
+      @project_owner_rules ||= project_master_rules + [
         :change_namespace,
         :change_visibility_level,
         :rename_project,
@@ -275,11 +275,9 @@ class Ability
     def group_abilities(user, group)
       rules = []
 
-      if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
-        rules << :read_group
-      end
+      rules << :read_group if can_read_group?(user, group)
 
-      # Only group masters and group owners can create new projects in group
+      # Only group masters and group owners can create new projects
       if group.has_master?(user) || group.has_owner?(user) || user.admin?
         rules += [
           :create_projects,
@@ -292,13 +290,23 @@ class Ability
         rules += [
           :admin_group,
           :admin_namespace,
-          :admin_group_member
+          :admin_group_member,
+          :change_visibility_level
         ]
       end
 
       rules.flatten
     end
 
+    def can_read_group?(user, group)
+      return true if user.admin?
+      return true if group.public?
+      return true if group.internal? && !user.external?
+      return true if group.users.include?(user)
+
+      GroupProjectsFinder.new(group).execute(user).any?
+    end
+
     def namespace_abilities(user, namespace)
       rules = []
 
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 269056e0e77..c4879598c4e 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -18,6 +18,7 @@
 #  max_attachment_size               :integer          default(10), not null
 #  default_project_visibility        :integer
 #  default_snippet_visibility        :integer
+#  default_group_visibility          :integer
 #  restricted_signup_domains         :text
 #  user_oauth_applications           :boolean          default(TRUE)
 #  after_sign_out_path               :string(255)
diff --git a/app/models/group.rb b/app/models/group.rb
index 9919ca112dc..b332601c59b 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -2,15 +2,16 @@
 #
 # Table name: namespaces
 #
-#  id          :integer          not null, primary key
-#  name        :string(255)      not null
-#  path        :string(255)      not null
-#  owner_id    :integer
-#  created_at  :datetime
-#  updated_at  :datetime
-#  type        :string(255)
-#  description :string(255)      default(""), not null
-#  avatar      :string(255)
+#  id                     :integer          not null, primary key
+#  name                   :string(255)      not null
+#  path                   :string(255)      not null
+#  owner_id               :integer
+#  visibility_level       :integer          default(20), not null
+#  created_at             :datetime
+#  updated_at             :datetime
+#  type                   :string(255)
+#  description            :string(255)      default(""), not null
+#  avatar                 :string(255)
 #
 
 require 'carrierwave/orm/activerecord'
@@ -18,6 +19,7 @@ require 'file_size_validator'
 
 class Group < Namespace
   include Gitlab::ConfigHelper
+  include Gitlab::VisibilityLevel
   include Referable
 
   has_many :group_members, dependent: :destroy, as: :source, class_name: 'GroupMember'
@@ -27,6 +29,8 @@ class Group < Namespace
   has_many :shared_projects, through: :project_group_links, source: :project
 
   validate :avatar_type, if: ->(user) { user.avatar.present? && user.avatar_changed? }
+  validate :visibility_level_allowed_by_projects
+
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
 
   mount_uploader :avatar, AvatarUploader
@@ -74,6 +78,21 @@ class Group < Namespace
     name
   end
 
+  def visibility_level_field
+    visibility_level
+  end
+
+  def visibility_level_allowed_by_projects
+    allowed_by_projects = self.projects.where('visibility_level > ?', self.visibility_level).none?
+
+    unless allowed_by_projects
+      level_name = Gitlab::VisibilityLevel.level_name(visibility_level).downcase
+      self.errors.add(:visibility_level, "#{level_name} is not allowed since there are projects with higher visibility.")
+    end
+
+    allowed_by_projects
+  end
+
   def avatar_url(size = nil)
     if avatar.present?
       [gitlab_config.url, avatar.url].join
diff --git a/app/models/issue.rb b/app/models/issue.rb
index ddb51ad5775..f32db59ac9f 100644
--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -36,9 +36,6 @@ class Issue < ActiveRecord::Base
 
   validates :project, presence: true
 
-  scope :of_group,
-    ->(group) { where(project_id: group.projects.select(:id).reorder(nil)) }
-
   scope :cared, ->(user) { where(assignee_id: user) }
   scope :open_for, ->(user) { opened.assigned_to(user) }
   scope :in_projects, ->(project_ids) { where(project_id: project_ids) }
diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb
index a015a9ef394..ef48207f956 100644
--- a/app/models/merge_request.rb
+++ b/app/models/merge_request.rb
@@ -131,7 +131,6 @@ class MergeRequest < ActiveRecord::Base
   validate :validate_branches
   validate :validate_fork
 
-  scope :of_group, ->(group) { where("source_project_id in (:group_project_ids) OR target_project_id in (:group_project_ids)", group_project_ids: group.projects.select(:id).reorder(nil)) }
   scope :by_branch, ->(branch_name) { where("(source_branch LIKE :branch) OR (target_branch LIKE :branch)", branch: branch_name) }
   scope :cared, ->(user) { where('assignee_id = :user OR author_id = :user', user: user.id) }
   scope :by_milestone, ->(milestone) { where(milestone_id: milestone) }
diff --git a/app/models/project.rb b/app/models/project.rb
index bc1542183c2..9c8246e8ac0 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -73,7 +73,7 @@ class Project < ActiveRecord::Base
     update_column(:last_activity_at, self.created_at)
   end
 
-  # update visibility_levet of forks
+  # update visibility_level of forks
   after_update :update_forks_visibility_level
   def update_forks_visibility_level
     return unless visibility_level < visibility_level_was
@@ -197,6 +197,8 @@ class Project < ActiveRecord::Base
   validate :avatar_type,
     if: ->(project) { project.avatar.present? && project.avatar_changed? }
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
+  validate :visibility_level_allowed_by_group
+  validate :visibility_level_allowed_as_fork
 
   add_authentication_token_field :runners_token
   before_save :ensure_runners_token
@@ -215,8 +217,6 @@ class Project < ActiveRecord::Base
   scope :in_group_namespace, -> { joins(:group) }
   scope :personal, ->(user) { where(namespace_id: user.namespace_id) }
   scope :joined, ->(user) { where('namespace_id != ?', user.namespace_id) }
-  scope :public_only, -> { where(visibility_level: Project::PUBLIC) }
-  scope :public_and_internal_only, -> { where(visibility_level: Project.public_and_internal_levels) }
   scope :non_archived, -> { where(archived: false) }
   scope :for_milestones, ->(ids) { joins(:milestones).where('milestones.id' => ids).distinct }
 
@@ -246,10 +246,6 @@ class Project < ActiveRecord::Base
   end
 
   class << self
-    def public_and_internal_levels
-      [Project::PUBLIC, Project::INTERNAL]
-    end
-
     def abandoned
       where('projects.last_activity_at < ?', 6.months.ago)
     end
@@ -443,10 +439,25 @@ class Project < ActiveRecord::Base
 
   def check_limit
     unless creator.can_create_project? or namespace.kind == 'group'
-      errors[:limit_reached] << ("Your project limit is #{creator.projects_limit} projects! Please contact your administrator to increase it")
+      self.errors.add(:limit_reached, "Your project limit is #{creator.projects_limit} projects! Please contact your administrator to increase it")
     end
   rescue
-    errors[:base] << ("Can't check your ability to create project")
+    self.errors.add(:base, "Can't check your ability to create project")
+  end
+
+  def visibility_level_allowed_by_group
+    return if visibility_level_allowed_by_group?
+
+    level_name = Gitlab::VisibilityLevel.level_name(self.visibility_level).downcase
+    group_level_name = Gitlab::VisibilityLevel.level_name(self.group.visibility_level).downcase
+    self.errors.add(:visibility_level, "#{level_name} is not allowed in a #{group_level_name} group.")
+  end
+
+  def visibility_level_allowed_as_fork
+    return if visibility_level_allowed_as_fork?
+
+    level_name = Gitlab::VisibilityLevel.level_name(self.visibility_level).downcase
+    self.errors.add(:visibility_level, "#{level_name} is not allowed since the fork source project has lower visibility.")
   end
 
   def to_param
@@ -962,9 +973,25 @@ class Project < ActiveRecord::Base
     issues.opened.count
   end
 
-  def visibility_level_allowed?(level)
+  def visibility_level_allowed_as_fork?(level = self.visibility_level)
     return true unless forked?
-    Gitlab::VisibilityLevel.allowed_fork_levels(forked_from_project.visibility_level).include?(level.to_i)
+
+    # self.forked_from_project will be nil before the project is saved, so
+    # we need to go through the relation
+    original_project = forked_project_link.forked_from_project
+    return true unless original_project
+
+    level <= original_project.visibility_level
+  end
+
+  def visibility_level_allowed_by_group?(level = self.visibility_level)
+    return true unless group
+
+    level <= group.visibility_level
+  end
+
+  def visibility_level_allowed?(level = self.visibility_level)
+    visibility_level_allowed_as_fork?(level) && visibility_level_allowed_by_group?(level)
   end
 
   def runners_token
diff --git a/app/services/base_service.rb b/app/services/base_service.rb
index 8563633816c..0d55ba5a981 100644
--- a/app/services/base_service.rb
+++ b/app/services/base_service.rb
@@ -43,12 +43,9 @@ class BaseService
   def deny_visibility_level(model, denied_visibility_level = nil)
     denied_visibility_level ||= model.visibility_level
 
-    level_name = Gitlab::VisibilityLevel.level_name(denied_visibility_level)
+    level_name = Gitlab::VisibilityLevel.level_name(denied_visibility_level).downcase
 
-    model.errors.add(
-      :visibility_level,
-      "#{level_name} visibility has been restricted by your GitLab administrator"
-    )
+    model.errors.add(:visibility_level, "#{level_name} has been restricted by your GitLab administrator")
   end
 
   private
diff --git a/app/services/create_snippet_service.rb b/app/services/create_snippet_service.rb
index 101a3df5eee..9884cb96661 100644
--- a/app/services/create_snippet_service.rb
+++ b/app/services/create_snippet_service.rb
@@ -6,8 +6,7 @@ class CreateSnippetService < BaseService
       snippet = project.snippets.build(params)
     end
 
-    unless Gitlab::VisibilityLevel.allowed_for?(current_user,
-                                                params[:visibility_level])
+    unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
       deny_visibility_level(snippet)
       return snippet
     end
diff --git a/app/services/groups/base_service.rb b/app/services/groups/base_service.rb
new file mode 100644
index 00000000000..a8fa098246a
--- /dev/null
+++ b/app/services/groups/base_service.rb
@@ -0,0 +1,9 @@
+module Groups
+  class BaseService < ::BaseService
+    attr_accessor :group, :current_user, :params
+
+    def initialize(group, user, params = {})
+      @group, @current_user, @params = group, user, params.dup
+    end
+  end
+end
diff --git a/app/services/groups/create_service.rb b/app/services/groups/create_service.rb
new file mode 100644
index 00000000000..2bccd584dde
--- /dev/null
+++ b/app/services/groups/create_service.rb
@@ -0,0 +1,21 @@
+module Groups
+  class CreateService < Groups::BaseService
+    def initialize(user, params = {})
+      @current_user, @params = user, params.dup
+    end
+
+    def execute
+      @group = Group.new(params)
+
+      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
+        deny_visibility_level(@group)
+        return @group
+      end
+
+      @group.name ||= @group.path.dup
+      @group.save
+      @group.add_owner(current_user)
+      @group
+    end
+  end
+end
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
new file mode 100644
index 00000000000..99ad12b1003
--- /dev/null
+++ b/app/services/groups/update_service.rb
@@ -0,0 +1,20 @@
+module Groups
+  class UpdateService < Groups::BaseService
+    def execute
+      # check that user is allowed to set specified visibility_level
+      new_visibility = params[:visibility_level]
+      if new_visibility && new_visibility.to_i != group.visibility_level
+        unless can?(current_user, :change_visibility_level, group) &&
+          Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
+
+          deny_visibility_level(group, new_visibility)
+          return group
+        end
+      end
+
+      group.assign_attributes(params)
+
+      group.save
+    end
+  end
+end
diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb
index a6820183bee..501e58c1407 100644
--- a/app/services/projects/create_service.rb
+++ b/app/services/projects/create_service.rb
@@ -9,10 +9,8 @@ module Projects
 
       @project = Project.new(params)
 
-      # Make sure that the user is allowed to use the specified visibility
-      # level
-      unless Gitlab::VisibilityLevel.allowed_for?(current_user,
-                                                  params[:visibility_level])
+      # Make sure that the user is allowed to use the specified visibility level
+      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
         deny_visibility_level(@project)
         return @project
       end
@@ -55,9 +53,7 @@ module Projects
         @project.save
 
         if @project.persisted? && !@project.import?
-          unless @project.create_repository
-            raise 'Failed to create repository'
-          end
+          raise 'Failed to create repository' unless @project.create_repository
         end
       end
 
diff --git a/app/services/projects/update_service.rb b/app/services/projects/update_service.rb
index 895e089bea3..941df08995c 100644
--- a/app/services/projects/update_service.rb
+++ b/app/services/projects/update_service.rb
@@ -3,16 +3,13 @@ module Projects
     def execute
       # check that user is allowed to set specified visibility_level
       new_visibility = params[:visibility_level]
-      if new_visibility
-        if new_visibility.to_i != project.visibility_level
-          unless can?(current_user, :change_visibility_level, project) &&
-            Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
-            deny_visibility_level(project, new_visibility)
-            return project
-          end
+      if new_visibility && new_visibility.to_i != project.visibility_level
+        unless can?(current_user, :change_visibility_level, project) &&
+          Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
+          
+          deny_visibility_level(project, new_visibility)
+          return project
         end
-
-        return false unless visibility_level_allowed?(new_visibility)
       end
 
       new_branch = params[:default_branch]
@@ -27,19 +24,5 @@ module Projects
         end
       end
     end
-
-    private
-
-    def visibility_level_allowed?(level)
-      return true if project.visibility_level_allowed?(level)
-
-      level_name = Gitlab::VisibilityLevel.level_name(level)
-      project.errors.add(
-        :visibility_level,
-        "#{level_name} could not be set as visibility level of this project - parent project settings are more restrictive"
-      )
-
-      false
-    end
   end
 end
diff --git a/app/services/update_snippet_service.rb b/app/services/update_snippet_service.rb
index e9328bb7323..93af8f21972 100644
--- a/app/services/update_snippet_service.rb
+++ b/app/services/update_snippet_service.rb
@@ -9,7 +9,6 @@ class UpdateSnippetService < BaseService
   def execute
     # check that user is allowed to set specified visibility_level
     new_visibility = params[:visibility_level]
-
     if new_visibility && new_visibility.to_i != snippet.visibility_level
       unless Gitlab::VisibilityLevel.allowed_for?(current_user, new_visibility)
         deny_visibility_level(snippet, new_visibility)
diff --git a/app/views/admin/application_settings/_form.html.haml b/app/views/admin/application_settings/_form.html.haml
index b30dfd109ea..0350995d03d 100644
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -19,6 +19,10 @@
       = f.label :default_snippet_visibility, class: 'control-label col-sm-2'
       .col-sm-10
         = render('shared/visibility_radios', model_method: :default_snippet_visibility, form: f, selected_level: @application_setting.default_snippet_visibility, form_model: ProjectSnippet.new)
+    .form-group.group-visibility-level-holder
+      = f.label :default_group_visibility, class: 'control-label col-sm-2'
+      .col-sm-10
+        = render('shared/visibility_radios', model_method: :default_group_visibility, form: f, selected_level: @application_setting.default_group_visibility, form_model: Group.new)
     .form-group
       = f.label :restricted_visibility_levels, class: 'control-label col-sm-2'
       .col-sm-10
diff --git a/app/views/admin/groups/_form.html.haml b/app/views/admin/groups/_form.html.haml
index 198026a1f75..7f2b1cd235d 100644
--- a/app/views/admin/groups/_form.html.haml
+++ b/app/views/admin/groups/_form.html.haml
@@ -10,6 +10,8 @@
     .col-sm-10
       = render 'shared/choose_group_avatar_button', f: f
 
+  = render 'shared/visibility_level', f: f, visibility_level: @group.visibility_level, can_change_visibility_level: can_change_group_visibility_level?(@group), form_model: @group
+
   - if @group.new_record?
     .form-group
       .col-sm-offset-2.col-sm-10
diff --git a/app/views/admin/groups/index.html.haml b/app/views/admin/groups/index.html.haml
index 118d3cfea07..6bdc885a312 100644
--- a/app/views/admin/groups/index.html.haml
+++ b/app/views/admin/groups/index.html.haml
@@ -46,6 +46,9 @@
 
         %h4
           = link_to [:admin, group] do
+            %span{ class: visibility_level_color(group.visibility_level) }
+              = visibility_level_icon(group.visibility_level)
+
             %i.fa.fa-folder
             = group.name
 
diff --git a/app/views/admin/groups/show.html.haml b/app/views/admin/groups/show.html.haml
index 264fa1bf0cd..f309e80a39a 100644
--- a/app/views/admin/groups/show.html.haml
+++ b/app/views/admin/groups/show.html.haml
@@ -28,6 +28,11 @@
             = @group.description
 
         %li
+          %span.light Visibility level:
+          %strong
+            = visibility_level_label(@group.visibility_level)
+
+        %li
           %span.light Created on:
           %strong
             = @group.created_at.to_s(:medium)
diff --git a/app/views/admin/projects/show.html.haml b/app/views/admin/projects/show.html.haml
index d734e60682a..c638c32a654 100644
--- a/app/views/admin/projects/show.html.haml
+++ b/app/views/admin/projects/show.html.haml
@@ -52,7 +52,7 @@
           %li
             %span.light fs:
             %strong
-              = @repository.path_to_repo
+              = @project.repository.path_to_repo
 
           %li
             %span.light Size
diff --git a/app/views/events/event/_common.html.haml b/app/views/events/event/_common.html.haml
index e9e16a7646f..c994e3b997d 100644
--- a/app/views/events/event/_common.html.haml
+++ b/app/views/events/event/_common.html.haml
@@ -4,7 +4,7 @@
     = event_action_name(event)
 
   - if event.target
-    %strong= link_to event.target.to_reference, [event.project.namespace.becomes(Namespace), event.project, event.target]
+    %strong= link_to event.target.reference_link_text, [event.project.namespace.becomes(Namespace), event.project, event.target]
 
   = event_preposition(event)
 
diff --git a/app/views/groups/edit.html.haml b/app/views/groups/edit.html.haml
index 83936d39b16..ea5a0358392 100644
--- a/app/views/groups/edit.html.haml
+++ b/app/views/groups/edit.html.haml
@@ -23,6 +23,8 @@
             %hr
             = link_to 'Remove avatar', group_avatar_path(@group.to_param), data: { confirm: "Group avatar will be removed. Are you sure?"}, method: :delete, class: "btn btn-remove btn-sm remove-avatar"
 
+      = render 'shared/visibility_level', f: f, visibility_level: @group.visibility_level, can_change_visibility_level: can_change_group_visibility_level?(@group), form_model: @group
+
       .form-group
         %hr
         = f.label :share_with_group_lock, class: 'control-label' do
@@ -32,6 +34,7 @@
             = f.check_box :share_with_group_lock
             %span.descr Prevent sharing a project with another group within this group
 
+
       .form-actions
         = f.submit 'Save group', class: "btn btn-save"
 
diff --git a/app/views/groups/new.html.haml b/app/views/groups/new.html.haml
index 4bc31cabea6..30ab8aeba13 100644
--- a/app/views/groups/new.html.haml
+++ b/app/views/groups/new.html.haml
@@ -17,6 +17,8 @@
     .col-sm-10
       = render 'shared/choose_group_avatar_button', f: f
 
+  = render 'shared/visibility_level', f: f, visibility_level: default_group_visibility, can_change_visibility_level: true, form_model: @group
+
   .form-group
     .col-sm-offset-2.col-sm-10
       = render 'shared/group_tips'
diff --git a/app/views/groups/show.html.haml b/app/views/groups/show.html.haml
index 23a34ac36dd..820743dc8dd 100644
--- a/app/views/groups/show.html.haml
+++ b/app/views/groups/show.html.haml
@@ -1,8 +1,5 @@
 - @no_container = true
 
-- unless can?(current_user, :read_group, @group)
-  - @disable_search_panel = true
-
 = content_for :meta_tags do
   - if current_user
     = auto_discovery_link_tag(:atom, group_url(@group, format: :atom, private_token: current_user.private_token), title: "#{@group.name} activity")
@@ -18,7 +15,10 @@
     = link_to group_icon(@group), target: '_blank' do
       = image_tag group_icon(@group), class: "avatar group-avatar s90"
   .cover-title
-    = @group.name
+    %h1
+      = @group.name
+      %span.visibility-icon.has_tooltip{ data: { container: 'body' }, title: visibility_icon_description(@group) }
+        = visibility_level_icon(@group.visibility_level, fw: false)
 
   .cover-desc.username
     @#{@group.path}
@@ -27,34 +27,29 @@
     .cover-desc.description
       = markdown(@group.description, pipeline: :description)
 
-- if can?(current_user, :read_group, @group)
-  %div{ class: container_class }
-    .top-area
-      %ul.nav-links
-        %li.active
-          = link_to "#projects", 'data-toggle' => 'tab' do
-            All Projects
-        - if @shared_projects.present?
-          %li
-            = link_to "#shared", 'data-toggle' => 'tab' do
-              Shared Projects
-      .nav-controls
-        = form_tag request.original_url, method: :get, class: 'project-filter-form', id: 'project-filter-form' do |f|
-          = search_field_tag :filter_projects, nil, placeholder: 'Filter by name', class: 'projects-list-filter form-control', spellcheck: false
-        = render 'shared/projects/dropdown'
-        - if can? current_user, :create_projects, @group
-          = link_to new_project_path(namespace_id: @group.id), class: 'btn btn-new pull-right' do
-            = icon('plus')
-            New Project
-
-    .tab-content
-      .tab-pane.active#projects
-        = render "projects", projects: @projects
-
+%div{ class: container_class }
+  .top-area
+    %ul.nav-links
+      %li.active
+        = link_to "#projects", 'data-toggle' => 'tab' do
+          All Projects
       - if @shared_projects.present?
-        .tab-pane#shared
-          = render "shared_projects", projects: @shared_projects
-
-- else
-  %p.nav-links.no-top
-    No projects to show
+        %li
+          = link_to "#shared", 'data-toggle' => 'tab' do
+            Shared Projects
+    .nav-controls
+      = form_tag request.original_url, method: :get, class: 'project-filter-form', id: 'project-filter-form' do |f|
+        = search_field_tag :filter_projects, nil, placeholder: 'Filter by name', class: 'projects-list-filter form-control', spellcheck: false
+      = render 'shared/projects/dropdown'
+      - if can? current_user, :create_projects, @group
+        = link_to new_project_path(namespace_id: @group.id), class: 'btn btn-new pull-right' do
+          = icon('plus')
+          New Project
+
+  .tab-content
+    .tab-pane.active#projects
+      = render "projects", projects: @projects
+
+    - if @shared_projects.present?
+      .tab-pane#shared
+        = render "shared_projects", projects: @shared_projects
diff --git a/app/views/layouts/header/_default.html.haml b/app/views/layouts/header/_default.html.haml
index f3090b96702..bfa5937cf3f 100644
--- a/app/views/layouts/header/_default.html.haml
+++ b/app/views/layouts/header/_default.html.haml
@@ -7,9 +7,8 @@
 
       .navbar-collapse.collapse
         %ul.nav.navbar-nav.pull-right
-          - unless @disable_search_panel
-            %li.hidden-sm.hidden-xs
-              = render 'layouts/search'
+          %li.hidden-sm.hidden-xs
+            = render 'layouts/search'
           %li.visible-sm.visible-xs
             = link_to search_path, title: 'Search', data: {toggle: 'tooltip', placement: 'bottom', container: 'body'} do
               = icon('search')
diff --git a/app/views/layouts/nav/_group.html.haml b/app/views/layouts/nav/_group.html.haml
index 59411ae1da1..55940741dc0 100644
--- a/app/views/layouts/nav/_group.html.haml
+++ b/app/views/layouts/nav/_group.html.haml
@@ -12,40 +12,38 @@
       = icon('group fw')
       %span
         Group
-  - if can?(current_user, :read_group, @group)
-    = nav_link(path: 'groups#activity') do
-      = link_to activity_group_path(@group), title: 'Activity' do
-        = icon('dashboard fw')
-        %span
-          Activity
-    - if current_user
-      = nav_link(controller: [:group, :milestones]) do
-        = link_to group_milestones_path(@group), title: 'Milestones' do
-          = icon('clock-o fw')
-          %span
-            Milestones
-    = nav_link(path: 'groups#issues') do
-      = link_to issues_group_path(@group), title: 'Issues' do
-        = icon('exclamation-circle fw')
-        %span
-          Issues
-          - if current_user
-            %span.count= number_with_delimiter(Issue.opened.of_group(@group).count)
-    = nav_link(path: 'groups#merge_requests') do
-      = link_to merge_requests_group_path(@group), title: 'Merge Requests' do
-        = icon('tasks fw')
-        %span
-          Merge Requests
-          - if current_user
-            %span.count= number_with_delimiter(MergeRequest.opened.of_group(@group).count)
-    = nav_link(controller: [:group_members]) do
-      = link_to group_group_members_path(@group), title: 'Members' do
-        = icon('users fw')
+  = nav_link(path: 'groups#activity') do
+    = link_to activity_group_path(@group), title: 'Activity' do
+      = icon('dashboard fw')
+      %span
+        Activity
+  = nav_link(controller: [:group, :milestones]) do
+    = link_to group_milestones_path(@group), title: 'Milestones' do
+      = icon('clock-o fw')
+      %span
+        Milestones
+  = nav_link(path: 'groups#issues') do
+    = link_to issues_group_path(@group), title: 'Issues' do
+      = icon('exclamation-circle fw')
+      %span
+        Issues
+        - issues = IssuesFinder.new(current_user, group_id: @group.id, state: 'opened').execute
+        %span.count= number_with_delimiter(issues.count)
+  = nav_link(path: 'groups#merge_requests') do
+    = link_to merge_requests_group_path(@group), title: 'Merge Requests' do
+      = icon('tasks fw')
+      %span
+        Merge Requests
+        - merge_requests = MergeRequestsFinder.new(current_user, group_id: @group.id, state: 'opened').execute
+        %span.count= number_with_delimiter(merge_requests.count)
+  = nav_link(controller: [:group_members]) do
+    = link_to group_group_members_path(@group), title: 'Members' do
+      = icon('users fw')
+      %span
+        Members
+  - if can?(current_user, :admin_group, @group)
+    = nav_link(html_options: { class: "separate-item" }) do
+      = link_to edit_group_path(@group), title: 'Settings' do
+        = icon ('cogs fw')
         %span
-          Members
-    - if can?(current_user, :admin_group, @group)
-      = nav_link(html_options: { class: "separate-item" }) do
-        = link_to edit_group_path(@group), title: 'Settings' do
-          = icon ('cogs fw')
-          %span
-            Settings
+          Settings
diff --git a/app/views/projects/_home_panel.html.haml b/app/views/projects/_home_panel.html.haml
index 62f3b9b8d34..514cbfa339d 100644
--- a/app/views/projects/_home_panel.html.haml
+++ b/app/views/projects/_home_panel.html.haml
@@ -2,21 +2,21 @@
 .project-home-panel.cover-block.clearfix{:class => ("empty-project" if empty_repo)}
   .project-identicon-holder
     = project_icon(@project, alt: '', class: 'project-avatar avatar s90')
-  .project-home-desc
+  .cover-title.project-home-desc
     %h1
       = @project.name
-      %span.visibility-icon.has-tooltip{data: { container: 'body' },
-        title: "#{visibility_level_label(@project.visibility_level)} - #{project_visibility_level_description(@project.visibility_level)}"}
+      %span.visibility-icon.has_tooltip{data: { container: 'body' }, title: visibility_icon_description(@project)}
         = visibility_level_icon(@project.visibility_level, fw: false)
 
-    - if @project.description.present?
+  - if @project.description.present?
+    .cover-desc.project-home-desc
       = markdown(@project.description, pipeline: :description)
 
-    - if forked_from_project = @project.forked_from_project
-      %p
-        Forked from
-        = link_to project_path(forked_from_project) do
-          = forked_from_project.namespace.try(:name)
+  - if forked_from_project = @project.forked_from_project
+    .cover-desc
+      Forked from
+      = link_to project_path(forked_from_project) do
+        = forked_from_project.namespace.try(:name)
 
   .cover-controls
     - if current_user
diff --git a/app/views/shared/_group_tips.html.haml b/app/views/shared/_group_tips.html.haml
index e5cf783beb7..46e4340511a 100644
--- a/app/views/shared/_group_tips.html.haml
+++ b/app/views/shared/_group_tips.html.haml
@@ -1,6 +1,5 @@
 %ul
   %li A group is a collection of several projects
-  %li Groups are private by default
   %li Members of a group may only view projects they have permission to access
   %li Group project URLs are prefixed with the group namespace
   %li Existing projects may be moved into a group
diff --git a/app/views/shared/groups/_group.html.haml b/app/views/shared/groups/_group.html.haml
index ec8763f4bd7..66b7ef99650 100644
--- a/app/views/shared/groups/_group.html.haml
+++ b/app/views/shared/groups/_group.html.haml
@@ -21,6 +21,9 @@
       = icon('users')
       = number_with_delimiter(group.users.count)
 
+    %span.visibility-icon.has_tooltip{data: { container: 'body', placement: 'left' }, title: visibility_icon_description(group)}
+      = visibility_level_icon(group.visibility_level, fw: false)
+
   = image_tag group_icon(group), class: "avatar s40 hidden-xs"
   .title
     = link_to group, class: 'group-name' do
diff --git a/app/views/shared/projects/_project.html.haml b/app/views/shared/projects/_project.html.haml
index 6f9fbcc00a7..803dd95bc65 100644
--- a/app/views/shared/projects/_project.html.haml
+++ b/app/views/shared/projects/_project.html.haml
@@ -27,8 +27,7 @@
         %span
           = icon('star')
           = project.star_count
-      %span.visibility-icon.has-tooltip{data: { container: 'body', placement: 'left' },
-        title: "#{visibility_level_label(project.visibility_level)} - #{project_visibility_level_description(project.visibility_level)}"}
+      %span.visibility-icon.has_tooltip{data: { container: 'body', placement: 'left' }, title: visibility_icon_description(project)}
         = visibility_level_icon(project.visibility_level, fw: false)
 
     .title
diff --git a/db/migrate/20160301124843_add_visibility_level_to_groups.rb b/db/migrate/20160301124843_add_visibility_level_to_groups.rb
new file mode 100644
index 00000000000..d1b921bb208
--- /dev/null
+++ b/db/migrate/20160301124843_add_visibility_level_to_groups.rb
@@ -0,0 +1,29 @@
+class AddVisibilityLevelToGroups < ActiveRecord::Migration
+  def up
+    add_column :namespaces, :visibility_level, :integer, null: false, default: Gitlab::VisibilityLevel::PUBLIC
+    add_index :namespaces, :visibility_level
+
+    # Unfortunately, this is needed on top of the `default`, since we don't want the configuration specific
+    # `allowed_visibility_level` to end up in schema.rb
+    if allowed_visibility_level < Gitlab::VisibilityLevel::PUBLIC
+      execute("UPDATE namespaces SET visibility_level = #{allowed_visibility_level}")
+    end
+  end
+
+  def down
+    remove_column :namespaces, :visibility_level
+  end
+
+  private
+
+  def allowed_visibility_level
+    application_settings = select_one("SELECT restricted_visibility_levels FROM application_settings ORDER BY id DESC LIMIT 1")
+    if application_settings
+      restricted_visibility_levels = YAML.safe_load(application_settings["restricted_visibility_levels"]) rescue nil
+    end
+    restricted_visibility_levels ||= []
+
+    allowed_levels = Gitlab::VisibilityLevel.values - restricted_visibility_levels
+    allowed_levels.max
+  end
+end
diff --git a/db/migrate/20160308212903_add_default_group_visibility_to_application_settings.rb b/db/migrate/20160308212903_add_default_group_visibility_to_application_settings.rb
new file mode 100644
index 00000000000..75de5f70fa2
--- /dev/null
+++ b/db/migrate/20160308212903_add_default_group_visibility_to_application_settings.rb
@@ -0,0 +1,29 @@
+# Create visibility level field on DB
+# Sets default_visibility_level to value on settings if not restricted
+# If value is restricted takes higher visibility level allowed
+
+class AddDefaultGroupVisibilityToApplicationSettings < ActiveRecord::Migration
+  def up
+    add_column :application_settings, :default_group_visibility, :integer
+    # Unfortunately, this can't be a `default`, since we don't want the configuration specific
+    # `allowed_visibility_level` to end up in schema.rb
+    execute("UPDATE application_settings SET default_group_visibility = #{allowed_visibility_level}")
+  end
+
+  def down
+    remove_column :application_settings, :default_group_visibility
+  end
+
+  private
+
+  def allowed_visibility_level
+    application_settings = select_one("SELECT restricted_visibility_levels FROM application_settings ORDER BY id DESC LIMIT 1")
+    if application_settings
+      restricted_visibility_levels = YAML.safe_load(application_settings["restricted_visibility_levels"]) rescue nil
+    end
+    restricted_visibility_levels ||= []
+
+    allowed_levels = Gitlab::VisibilityLevel.values - restricted_visibility_levels
+    allowed_levels.max
+  end
+end
diff --git a/db/migrate/20160320204112_index_namespaces_on_visibility_level.rb b/db/migrate/20160320204112_index_namespaces_on_visibility_level.rb
new file mode 100644
index 00000000000..b3145443497
--- /dev/null
+++ b/db/migrate/20160320204112_index_namespaces_on_visibility_level.rb
@@ -0,0 +1,5 @@
+class IndexNamespacesOnVisibilityLevel < ActiveRecord::Migration
+  def change
+    add_index :namespaces, :visibility_level
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 692f8e0616a..dce2bfe62ca 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160317092222) do
+ActiveRecord::Schema.define(version: 20160320204112) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -77,6 +77,7 @@ ActiveRecord::Schema.define(version: 20160317092222) do
     t.boolean  "akismet_enabled",                   default: false
     t.string   "akismet_api_key"
     t.boolean  "email_author_in_body",              default: false
+    t.integer  "default_group_visibility"
   end
 
   create_table "audit_events", force: :cascade do |t|
@@ -595,6 +596,7 @@ ActiveRecord::Schema.define(version: 20160317092222) do
     t.string   "description",           default: "",    null: false
     t.string   "avatar"
     t.boolean  "share_with_group_lock", default: false
+    t.integer  "visibility_level",      default: 20,    null: false
   end
 
   add_index "namespaces", ["created_at", "id"], name: "index_namespaces_on_created_at_and_id", using: :btree
@@ -604,6 +606,7 @@ ActiveRecord::Schema.define(version: 20160317092222) do
   add_index "namespaces", ["path"], name: "index_namespaces_on_path", unique: true, using: :btree
   add_index "namespaces", ["path"], name: "index_namespaces_on_path_trigram", using: :gin, opclasses: {"path"=>"gin_trgm_ops"}
   add_index "namespaces", ["type"], name: "index_namespaces_on_type", using: :btree
+  add_index "namespaces", ["visibility_level"], name: "index_namespaces_on_visibility_level", using: :btree
 
   create_table "notes", force: :cascade do |t|
     t.text     "note"
diff --git a/doc/api/groups.md b/doc/api/groups.md
index d47e79ba47f..d1b5c9f5f04 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -111,6 +111,7 @@ Parameters:
 - `name` (required) - The name of the group

 - `path` (required) - The path of the group

 - `description` (optional) - The group's description

+- `visibility_level` (optional) - The group's visibility. 0 for private, 10 for internal, 20 for public.

 

 ## Transfer project to group

 

diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 71197205f34..197e826e5bc 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -85,7 +85,7 @@ module API
     end
 
     class Group < Grape::Entity
-      expose :id, :name, :path, :description
+      expose :id, :name, :path, :description, :visibility_level
       expose :avatar_url
 
       expose :web_url do |group, options|
@@ -340,6 +340,7 @@ module API
       expose :session_expire_delay
       expose :default_project_visibility
       expose :default_snippet_visibility
+      expose :default_group_visibility
       expose :restricted_signup_domains
       expose :user_oauth_applications
       expose :after_sign_out_path
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index 1a14d870a4a..c165de21a75 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -31,7 +31,7 @@ module API
         authorize! :create_group, current_user
         required_attributes! [:name, :path]
 
-        attrs = attributes_for_keys [:name, :path, :description]
+        attrs = attributes_for_keys [:name, :path, :description, :visibility_level]
         @group = Group.new(attrs)
 
         if @group.save
diff --git a/lib/gitlab/visibility_level.rb b/lib/gitlab/visibility_level.rb
index 3160a3c7582..a1ee1cba216 100644
--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -6,6 +6,14 @@
 module Gitlab
   module VisibilityLevel
     extend CurrentSettings
+    extend ActiveSupport::Concern
+
+    included do
+      scope :public_only,               -> { where(visibility_level: PUBLIC) }
+      scope :public_and_internal_only,  -> { where(visibility_level: [PUBLIC, INTERNAL] ) }
+
+      scope :public_to_user, -> (user) { user && !user.external ? public_and_internal_only : public_only }
+    end
 
     PRIVATE  = 0 unless const_defined?(:PRIVATE)
     INTERNAL = 10 unless const_defined?(:INTERNAL)
@@ -48,10 +56,6 @@ module Gitlab
         options.has_value?(level)
       end
 
-      def allowed_fork_levels(origin_level)
-        [PRIVATE, INTERNAL, PUBLIC].select{ |level| level <= origin_level }
-      end
-
       def level_name(level)
         level_name = 'Unknown'
         options.each do |name, lvl|
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 55851befc8c..186239d3096 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -30,44 +30,4 @@ describe ApplicationController do
       controller.send(:check_password_expiration)
     end
   end
-
-  describe 'check labels authorization' do
-    let(:project) { create(:project) }
-    let(:user) { create(:user) }
-    let(:controller) { ApplicationController.new }
-
-    before do
-      project.team << [user, :guest]
-      allow(controller).to receive(:current_user).and_return(user)
-      allow(controller).to receive(:project).and_return(project)
-    end
-
-    it 'should succeed if issues and MRs are enabled' do
-      project.issues_enabled = true
-      project.merge_requests_enabled = true
-      controller.send(:authorize_read_label!)
-      expect(response.status).to eq(200)
-    end
-
-    it 'should succeed if issues are enabled, MRs are disabled' do
-      project.issues_enabled = true
-      project.merge_requests_enabled = false
-      controller.send(:authorize_read_label!)
-      expect(response.status).to eq(200)
-    end
-
-    it 'should succeed if issues are disabled, MRs are enabled' do
-      project.issues_enabled = false
-      project.merge_requests_enabled = true
-      controller.send(:authorize_read_label!)
-      expect(response.status).to eq(200)
-    end
-
-    it 'should fail if issues and MRs are disabled' do
-      project.issues_enabled = false
-      project.merge_requests_enabled = false
-      expect(controller).to receive(:access_denied!)
-      controller.send(:authorize_read_label!)
-    end
-  end
 end
diff --git a/spec/controllers/groups/avatars_controller_spec.rb b/spec/controllers/groups/avatars_controller_spec.rb
index 3dac134a731..91d639218e5 100644
--- a/spec/controllers/groups/avatars_controller_spec.rb
+++ b/spec/controllers/groups/avatars_controller_spec.rb
@@ -2,9 +2,10 @@ require 'spec_helper'
 
 describe Groups::AvatarsController do
   let(:user)  { create(:user) }
-  let(:group) { create(:group, owner: user, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
+  let(:group) { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
 
   before do
+    group.add_owner(user)
     sign_in(user)
   end
 
diff --git a/spec/controllers/namespaces_controller_spec.rb b/spec/controllers/namespaces_controller_spec.rb
index 77436958711..27e9afe582e 100644
--- a/spec/controllers/namespaces_controller_spec.rb
+++ b/spec/controllers/namespaces_controller_spec.rb
@@ -15,14 +15,9 @@ describe NamespacesController do
     end
 
     context "when the namespace belongs to a group" do
-      let!(:group) { create(:group) }
-      let!(:project) { create(:project, namespace: group) }
-
-      context "when the group has public projects" do
-        before do
-          project.update_attribute(:visibility_level, Project::PUBLIC)
-        end
+      let!(:group)   { create(:group) }
 
+      context "when the group is public" do
         context "when not signed in" do
           it "redirects to the group's page" do
             get :show, id: group.path
@@ -44,27 +39,31 @@ describe NamespacesController do
         end
       end
 
-      context "when the project doesn't have public projects" do
+      context "when the group is private" do
+        before do
+          group.update_attribute(:visibility_level, Group::PRIVATE)
+        end
+
         context "when not signed in" do
-          it "does not redirect to the sign in page" do
+          it "redirects to the sign in page" do
             get :show, id: group.path
-            expect(response).not_to redirect_to(new_user_session_path)
+            expect(response).to redirect_to(new_user_session_path)
           end
         end
+
         context "when signed in" do
           before do
             sign_in(user)
           end
 
-          context "when the user has access to the project" do
+          context "when the user has access to the group" do
             before do
-              project.team << [user, :master]
+              group.add_developer(user)
             end
 
             context "when the user is blocked" do
               before do
                 user.block
-                project.team << [user, :master]
               end
 
               it "redirects to the sign in page" do
@@ -83,11 +82,11 @@ describe NamespacesController do
             end
           end
 
-          context "when the user doesn't have access to the project" do
-            it "redirects to the group's page" do
+          context "when the user doesn't have access to the group" do
+            it "responds with status 404" do
               get :show, id: group.path
 
-              expect(response).to redirect_to(group_path(group))
+              expect(response.status).to eq(404)
             end
           end
         end
diff --git a/spec/controllers/projects/avatars_controller_spec.rb b/spec/controllers/projects/avatars_controller_spec.rb
index e79b46a3504..4d724ca9ed0 100644
--- a/spec/controllers/projects/avatars_controller_spec.rb
+++ b/spec/controllers/projects/avatars_controller_spec.rb
@@ -6,7 +6,7 @@ describe Projects::AvatarsController do
 
   before do
     sign_in(user)
-    project.team << [user, :developer]
+    project.team << [user, :master]
     controller.instance_variable_set(:@project, project)
   end
 
diff --git a/spec/controllers/uploads_controller_spec.rb b/spec/controllers/uploads_controller_spec.rb
index af5d043cf02..73858e6f063 100644
--- a/spec/controllers/uploads_controller_spec.rb
+++ b/spec/controllers/uploads_controller_spec.rb
@@ -30,7 +30,7 @@ describe UploadsController do
           end
         end
       end
-      
+
       context "when not signed in" do
         it "responds with status 200" do
           get :show, model: "user", mounted_as: "avatar", id: user.id, filename: "image.png"
@@ -126,14 +126,9 @@ describe UploadsController do
     end
 
     context "when viewing a group avatar" do
-      let!(:group) { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
-      let!(:project) { create(:project, namespace: group) }
-
-      context "when the group has public projects" do
-        before do
-          project.update_attribute(:visibility_level, Project::PUBLIC)
-        end
+      let!(:group)   { create(:group, avatar: fixture_file_upload(Rails.root + "spec/fixtures/dk.png", "image/png")) }
 
+      context "when the group is public" do
         context "when not signed in" do
           it "responds with status 200" do
             get :show, model: "group", mounted_as: "avatar", id: group.id, filename: "image.png"
@@ -155,7 +150,11 @@ describe UploadsController do
         end
       end
 
-      context "when the project doesn't have public projects" do
+      context "when the group is private" do
+        before do
+          group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE)
+        end
+
         context "when signed in" do
           before do
             sign_in(user)
@@ -163,13 +162,12 @@ describe UploadsController do
 
           context "when the user has access to the project" do
             before do
-              project.team << [user, :master]
+              group.add_developer(user)
             end
 
             context "when the user is blocked" do
               before do
                 user.block
-                project.team << [user, :master]
               end
 
               it "redirects to the sign in page" do
diff --git a/spec/factories/broadcast_messages.rb b/spec/factories/broadcast_messages.rb
index 373ca75467e..c80e7366551 100644
--- a/spec/factories/broadcast_messages.rb
+++ b/spec/factories/broadcast_messages.rb
@@ -15,7 +15,7 @@
 FactoryGirl.define do
   factory :broadcast_message do
     message "MyText"
-    starts_at Date.today
+    starts_at Date.yesterday
     ends_at Date.tomorrow
 
     trait :expired do
diff --git a/spec/factories/groups.rb b/spec/factories/groups.rb
index 4a3a155d7ff..2d47a6f6c4c 100644
--- a/spec/factories/groups.rb
+++ b/spec/factories/groups.rb
@@ -3,5 +3,17 @@ FactoryGirl.define do
     sequence(:name) { |n| "group#{n}" }
     path { name.downcase.gsub(/\s/, '_') }
     type 'Group'
+
+    trait :public do
+      visibility_level Gitlab::VisibilityLevel::PUBLIC
+    end
+
+    trait :internal do
+      visibility_level Gitlab::VisibilityLevel::INTERNAL
+    end
+
+    trait :private do
+      visibility_level Gitlab::VisibilityLevel::PRIVATE
+    end
   end
 end
diff --git a/spec/features/security/group/internal_access_spec.rb b/spec/features/security/group/internal_access_spec.rb
new file mode 100644
index 00000000000..71b783b7276
--- /dev/null
+++ b/spec/features/security/group/internal_access_spec.rb
@@ -0,0 +1,109 @@
+require 'rails_helper'
+
+describe 'Internal Group access', feature: true do
+  include AccessMatchers
+
+  let(:group) { create(:group, :internal) }
+  let(:project) { create(:project, :internal, group: group) }
+
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
+
+  let(:project_guest) { create(:user) }
+
+  before do
+    group.add_owner(owner)
+    group.add_master(master)
+    group.add_developer(developer)
+    group.add_reporter(reporter)
+    group.add_guest(guest)
+
+    project.team << [project_guest, :guest]
+  end
+
+  describe "Group should be internal" do
+    describe '#internal?' do
+      subject { group.internal? }
+      it { is_expected.to be_truthy }
+    end
+  end
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
+  end
+end
diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb
new file mode 100644
index 00000000000..cc9aee802f9
--- /dev/null
+++ b/spec/features/security/group/private_access_spec.rb
@@ -0,0 +1,109 @@
+require 'rails_helper'
+
+describe 'Private Group access', feature: true do
+  include AccessMatchers
+
+  let(:group) { create(:group, :private) }
+  let(:project) { create(:project, :private, group: group) }
+
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
+
+  let(:project_guest) { create(:user) }
+
+  before do
+    group.add_owner(owner)
+    group.add_master(master)
+    group.add_developer(developer)
+    group.add_reporter(reporter)
+    group.add_guest(guest)
+
+    project.team << [project_guest, :guest]
+  end
+
+  describe "Group should be private" do
+    describe '#private?' do
+      subject { group.private? }
+      it { is_expected.to be_truthy }
+    end
+  end
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :external }
+    it { is_expected.to be_denied_for :visitor }
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
+  end
+end
diff --git a/spec/features/security/group/public_access_spec.rb b/spec/features/security/group/public_access_spec.rb
new file mode 100644
index 00000000000..db986683dbe
--- /dev/null
+++ b/spec/features/security/group/public_access_spec.rb
@@ -0,0 +1,109 @@
+require 'rails_helper'
+
+describe 'Public Group access', feature: true do
+  include AccessMatchers
+
+  let(:group) { create(:group, :public) }
+  let(:project) { create(:project, :public, group: group) }
+
+  let(:owner)     { create(:user) }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
+
+  let(:project_guest) { create(:user) }
+
+  before do
+    group.add_owner(owner)
+    group.add_master(master)
+    group.add_developer(developer)
+    group.add_reporter(reporter)
+    group.add_guest(guest)
+    
+    project.team << [project_guest, :guest]
+  end
+
+  describe "Group should be public" do
+    describe '#public?' do
+      subject { group.public? }
+      it { is_expected.to be_truthy }
+    end
+  end
+
+  describe 'GET /groups/:path' do
+    subject { group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
+  end
+
+  describe 'GET /groups/:path/issues' do
+    subject { issues_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
+  end
+
+  describe 'GET /groups/:path/merge_requests' do
+    subject { merge_requests_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
+  end
+
+
+  describe 'GET /groups/:path/group_members' do
+    subject { group_group_members_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
+    it { is_expected.to be_allowed_for reporter }
+    it { is_expected.to be_allowed_for guest }
+    it { is_expected.to be_allowed_for project_guest }
+    it { is_expected.to be_allowed_for :user }
+    it { is_expected.to be_allowed_for :external }
+    it { is_expected.to be_allowed_for :visitor }
+  end
+
+  describe 'GET /groups/:path/edit' do
+    subject { edit_group_path(group) }
+
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
+    it { is_expected.to be_denied_for master }
+    it { is_expected.to be_denied_for developer }
+    it { is_expected.to be_denied_for reporter }
+    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_denied_for project_guest }
+    it { is_expected.to be_denied_for :user }
+    it { is_expected.to be_denied_for :visitor }
+    it { is_expected.to be_denied_for :external }
+  end
+end
diff --git a/spec/features/security/group_access_spec.rb b/spec/features/security/group_access_spec.rb
deleted file mode 100644
index 65f8073c693..00000000000
--- a/spec/features/security/group_access_spec.rb
+++ /dev/null
@@ -1,284 +0,0 @@
-require 'rails_helper'
-
-describe 'Group access', feature: true do
-  include AccessMatchers
-
-  def group
-    @group ||= create(:group)
-  end
-
-  def create_project(access_level)
-    if access_level == :mixed
-      create(:empty_project, :public, group: group)
-      create(:empty_project, :internal, group: group)
-    else
-      create(:empty_project, access_level, group: group)
-    end
-  end
-
-  def group_member(access_level, grp = group())
-    level = Object.const_get("Gitlab::Access::#{access_level.upcase}")
-
-    create(:user).tap do |user|
-      grp.add_user(user, level)
-    end
-  end
-
-  describe 'GET /groups/new' do
-    subject { new_group_path }
-
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_allowed_for :user }
-    it { is_expected.to be_denied_for :visitor }
-  end
-
-  describe 'GET /groups/:path' do
-    subject { group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-  end
-
-  describe 'GET /groups/:path/issues' do
-    subject { issues_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-  end
-
-  describe 'GET /groups/:path/merge_requests' do
-    subject { merge_requests_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-  end
-
-  describe 'GET /groups/:path/group_members' do
-    subject { group_group_members_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_allowed_for :visitor }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_allowed_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_allowed_for group_member(:master) }
-      it { is_expected.to be_allowed_for group_member(:reporter) }
-      it { is_expected.to be_allowed_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-  end
-
-  describe 'GET /groups/:path/edit' do
-    subject { edit_group_path(group) }
-
-    context 'with public projects' do
-      let!(:project) { create_project(:public) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with mixed projects' do
-      let!(:project) { create_project(:mixed) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with internal projects' do
-      let!(:project) { create_project(:internal) }
-
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-
-    context 'with no projects' do
-      it { is_expected.to be_allowed_for group_member(:owner) }
-      it { is_expected.to be_denied_for group_member(:master) }
-      it { is_expected.to be_denied_for group_member(:reporter) }
-      it { is_expected.to be_denied_for group_member(:guest) }
-      it { is_expected.to be_allowed_for :admin }
-      it { is_expected.to be_denied_for :user }
-      it { is_expected.to be_denied_for :visitor }
-    end
-  end
-end
diff --git a/spec/features/security/project/internal_access_spec.rb b/spec/features/security/project/internal_access_spec.rb
index f88c591d897..79d5bf4cf06 100644
--- a/spec/features/security/project/internal_access_spec.rb
+++ b/spec/features/security/project/internal_access_spec.rb
@@ -5,25 +5,22 @@ describe "Internal Project Access", feature: true  do
 
   let(:project) { create(:project, :internal) }
 
-  let(:master) { create(:user) }
-  let(:guest) { create(:user) }
-  let(:reporter) { create(:user) }
-  let(:external_team_member) { create(:user, external: true) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
 
   before do
-    # full access
     project.team << [master, :master]
-    project.team << [external_team_member, :master]
-
-    # readonly
+    project.team << [developer, :developer]
     project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
   end
 
   describe "Project should be internal" do
-    subject { project }
-
     describe '#internal?' do
-      subject { super().internal? }
+      subject { project.internal? }
       it { is_expected.to be_truthy }
     end
   end
@@ -31,78 +28,84 @@ describe "Internal Project Access", feature: true  do
   describe "GET /:project_path" do
     subject { namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/tree/master" do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/commits/master" do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/commit/:sha" do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/compare" do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/project_members" do
     subject { namespace_project_project_members_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -110,52 +113,56 @@ describe "Internal Project Access", feature: true  do
     let(:commit) { project.repository.commit }
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/edit" do
     subject { edit_namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/deploy_keys" do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/issues" do
     subject { namespace_project_issues_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -163,65 +170,70 @@ describe "Internal Project Access", feature: true  do
     let(:issue) { create(:issue, project: project) }
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/snippets" do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/snippets/new" do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/merge_requests" do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/merge_requests/new" do
     subject { new_namespace_project_merge_request_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -233,13 +245,14 @@ describe "Internal Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:branches).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -251,26 +264,28 @@ describe "Internal Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:tags).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/hooks" do
     subject { namespace_project_hooks_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 end
diff --git a/spec/features/security/project/private_access_spec.rb b/spec/features/security/project/private_access_spec.rb
index 19f287ce7a4..0a89193eb67 100644
--- a/spec/features/security/project/private_access_spec.rb
+++ b/spec/features/security/project/private_access_spec.rb
@@ -3,27 +3,24 @@ require 'spec_helper'
 describe "Private Project Access", feature: true  do
   include AccessMatchers
 
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :private) }
 
-  let(:master)   { create(:user) }
-  let(:guest)    { create(:user) }
-  let(:reporter) { create(:user) }
-  let(:external_team_member) { create(:user, external: true) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
 
   before do
-    # full access
     project.team << [master, :master]
-    project.team << [external_team_member, :master]
-
-    # readonly
+    project.team << [developer, :developer]
     project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
   end
 
   describe "Project should be private" do
-    subject { project }
-
     describe '#private?' do
-      subject { super().private? }
+      subject { project.private? }
       it { is_expected.to be_truthy }
     end
   end
@@ -31,77 +28,84 @@ describe "Private Project Access", feature: true  do
   describe "GET /:project_path" do
     subject { namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/tree/master" do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/commits/master" do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/commit/:sha" do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
-    it { is_expected.to be_allowed_for external_team_member }
+    it { is_expected.to be_denied_for :external }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/compare" do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/project_members" do
     subject { namespace_project_project_members_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -109,52 +113,56 @@ describe "Private Project Access", feature: true  do
     let(:commit) { project.repository.commit }
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore'))}
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/edit" do
     subject { edit_namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/deploy_keys" do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/issues" do
     subject { namespace_project_issues_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -162,39 +170,42 @@ describe "Private Project Access", feature: true  do
     let(:issue) { create(:issue, project: project) }
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/snippets" do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/merge_requests" do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
-    it { is_expected.to be_denied_for guest }
+    it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -206,13 +217,14 @@ describe "Private Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:branches).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
@@ -224,26 +236,28 @@ describe "Private Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:tags).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 
   describe "GET /:project_path/hooks" do
     subject { namespace_project_hooks_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
-    it { is_expected.to be_allowed_for external_team_member }
     it { is_expected.to be_denied_for :visitor }
   end
 end
diff --git a/spec/features/security/project/public_access_spec.rb b/spec/features/security/project/public_access_spec.rb
index 4e135076367..40daac89d40 100644
--- a/spec/features/security/project/public_access_spec.rb
+++ b/spec/features/security/project/public_access_spec.rb
@@ -3,29 +3,24 @@ require 'spec_helper'
 describe "Public Project Access", feature: true  do
   include AccessMatchers
 
-  let(:project) { create(:project) }
+  let(:project) { create(:project, :public) }
 
-  let(:master) { create(:user) }
-  let(:guest) { create(:user) }
-  let(:reporter) { create(:user) }
+  let(:owner)     { project.owner }
+  let(:master)    { create(:user) }
+  let(:developer) { create(:user) }
+  let(:reporter)  { create(:user) }
+  let(:guest)     { create(:user) }
 
   before do
-    # public project
-    project.visibility_level = Gitlab::VisibilityLevel::PUBLIC
-    project.save!
-
-    # full access
     project.team << [master, :master]
-
-    # readonly
+    project.team << [developer, :developer]
     project.team << [reporter, :reporter]
+    project.team << [guest, :guest]
   end
 
   describe "Project should be public" do
-    subject { project }
-
     describe '#public?' do
-      subject { super().public? }
+      subject { project.public? }
       it { is_expected.to be_truthy }
     end
   end
@@ -33,9 +28,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path" do
     subject { namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -45,9 +42,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/tree/master" do
     subject { namespace_project_tree_path(project.namespace, project, project.repository.root_ref) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -57,9 +56,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/commits/master" do
     subject { namespace_project_commits_path(project.namespace, project, project.repository.root_ref, limit: 1) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -69,9 +70,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/commit/:sha" do
     subject { namespace_project_commit_path(project.namespace, project, project.repository.commit) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -81,9 +84,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/compare" do
     subject { namespace_project_compare_index_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -93,9 +98,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/project_members" do
     subject { namespace_project_project_members_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -108,9 +115,11 @@ describe "Public Project Access", feature: true  do
     context "when allowed for public" do
       before { project.update(public_builds: true) }
 
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
       it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
       it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_allowed_for guest }
       it { is_expected.to be_allowed_for :user }
       it { is_expected.to be_allowed_for :external }
@@ -120,9 +129,11 @@ describe "Public Project Access", feature: true  do
     context "when disallowed for public" do
       before { project.update(public_builds: false) }
 
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
       it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
       it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_denied_for guest }
       it { is_expected.to be_denied_for :user }
       it { is_expected.to be_denied_for :external }
@@ -138,9 +149,11 @@ describe "Public Project Access", feature: true  do
     context "when allowed for public" do
       before { project.update(public_builds: true) }
 
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
       it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
       it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_allowed_for guest }
       it { is_expected.to be_allowed_for :user }
       it { is_expected.to be_allowed_for :external }
@@ -150,9 +163,11 @@ describe "Public Project Access", feature: true  do
     context "when disallowed for public" do
       before { project.update(public_builds: false) }
 
+      it { is_expected.to be_allowed_for :admin }
+      it { is_expected.to be_allowed_for owner }
       it { is_expected.to be_allowed_for master }
+      it { is_expected.to be_allowed_for developer }
       it { is_expected.to be_allowed_for reporter }
-      it { is_expected.to be_allowed_for :admin }
       it { is_expected.to be_denied_for guest }
       it { is_expected.to be_denied_for :user }
       it { is_expected.to be_denied_for :external }
@@ -165,9 +180,11 @@ describe "Public Project Access", feature: true  do
 
     subject { namespace_project_blob_path(project.namespace, project, File.join(commit.id, '.gitignore')) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :visitor }
@@ -176,9 +193,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/edit" do
     subject { edit_namespace_project_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -188,9 +207,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/deploy_keys" do
     subject { namespace_project_deploy_keys_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -200,9 +221,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/issues" do
     subject { namespace_project_issues_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -213,9 +236,11 @@ describe "Public Project Access", feature: true  do
     let(:issue) { create(:issue, project: project) }
     subject { edit_namespace_project_issue_path(project.namespace, project, issue) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -225,9 +250,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/snippets" do
     subject { namespace_project_snippets_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -237,9 +264,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/snippets/new" do
     subject { new_namespace_project_snippet_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -249,9 +278,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/merge_requests" do
     subject { namespace_project_merge_requests_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -261,9 +292,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/merge_requests/new" do
     subject { new_namespace_project_merge_request_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
@@ -278,9 +311,11 @@ describe "Public Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:branches).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -295,9 +330,11 @@ describe "Public Project Access", feature: true  do
       allow_any_instance_of(Project).to receive(:tags).and_return([])
     end
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_allowed_for developer }
     it { is_expected.to be_allowed_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_allowed_for guest }
     it { is_expected.to be_allowed_for :user }
     it { is_expected.to be_allowed_for :external }
@@ -307,9 +344,11 @@ describe "Public Project Access", feature: true  do
   describe "GET /:project_path/hooks" do
     subject { namespace_project_hooks_path(project.namespace, project) }
 
+    it { is_expected.to be_allowed_for :admin }
+    it { is_expected.to be_allowed_for owner }
     it { is_expected.to be_allowed_for master }
+    it { is_expected.to be_denied_for developer }
     it { is_expected.to be_denied_for reporter }
-    it { is_expected.to be_allowed_for :admin }
     it { is_expected.to be_denied_for guest }
     it { is_expected.to be_denied_for :user }
     it { is_expected.to be_denied_for :external }
diff --git a/spec/finders/group_projects_finder_spec.rb b/spec/finders/group_projects_finder_spec.rb
new file mode 100644
index 00000000000..fdd3849816f
--- /dev/null
+++ b/spec/finders/group_projects_finder_spec.rb
@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+describe GroupProjectsFinder do
+  let(:group) { create(:group) }
+  let(:current_user) { create(:user) }
+
+  let(:finder) { described_class.new(source_user) }
+
+  let!(:public_project) { create(:project, :public, group: group, path: '1') }
+  let!(:private_project) { create(:project, :private, group: group, path: '2') }
+  let!(:shared_project_1) { create(:project, :public, path: '3') }
+  let!(:shared_project_2) { create(:project, :private, path: '4') }
+  let!(:shared_project_3) { create(:project, :internal, path: '5') }
+
+
+  before do
+    shared_project_1.project_group_links.create(group_access: Gitlab::Access::MASTER, group: group)
+    shared_project_2.project_group_links.create(group_access: Gitlab::Access::MASTER, group: group)
+    shared_project_3.project_group_links.create(group_access: Gitlab::Access::MASTER, group: group)
+  end
+
+
+  describe 'with a group member current user' do
+    before  { group.add_user(current_user, Gitlab::Access::MASTER) }
+
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([private_project, public_project]) }
+    end
+
+    context "all" do
+      subject { described_class.new(group).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, private_project, public_project]) }
+    end
+  end
+
+  describe 'without group member current_user' do
+    before { shared_project_2.team << [current_user, Gitlab::Access::MASTER] }
+
+    context "only shared" do
+      context "without external user" do
+        subject { described_class.new(group, only_shared: true).execute(current_user) }
+        it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1]) }
+      end
+
+      context "with external user" do
+        before  { current_user.update_attributes(external: true) }
+        subject { described_class.new(group, only_shared: true).execute(current_user) }
+        it      { is_expected.to eq([shared_project_2, shared_project_1]) }
+      end
+    end
+
+    context "only owned" do
+      context "without external user" do
+        before  { private_project.team << [current_user, Gitlab::Access::MASTER] }
+        subject { described_class.new(group, only_owned: true).execute(current_user) }
+        it      { is_expected.to eq([private_project, public_project]) }
+      end
+
+      context "with external user" do
+        before  { current_user.update_attributes(external: true) }
+        subject { described_class.new(group, only_owned: true).execute(current_user) }
+        it      { is_expected.to eq([public_project]) }
+      end
+
+      context "all" do
+        subject { described_class.new(group).execute(current_user) }
+        it      { is_expected.to eq([shared_project_3, shared_project_2, shared_project_1, public_project]) }
+      end
+    end
+  end
+
+  describe "no user" do
+    context "only shared" do
+      subject { described_class.new(group, only_shared: true).execute(current_user) }
+      it      { is_expected.to eq([shared_project_3, shared_project_1]) }
+    end
+
+    context "only owned" do
+      subject { described_class.new(group, only_owned: true).execute(current_user) }
+      it      { is_expected.to eq([public_project]) }
+    end
+  end
+end
diff --git a/spec/finders/groups_finder_spec.rb b/spec/finders/groups_finder_spec.rb
new file mode 100644
index 00000000000..d5d111e8d15
--- /dev/null
+++ b/spec/finders/groups_finder_spec.rb
@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe GroupsFinder do
+  describe '#execute' do
+    let(:user)            { create(:user) }
+    let!(:private_group)  { create(:group, :private) }
+    let!(:internal_group) { create(:group, :internal) }
+    let!(:public_group)   { create(:group, :public) }
+    let(:finder)          { described_class.new }
+
+    describe 'execute' do
+      describe 'without a user' do
+        subject { finder.execute }
+
+        it { is_expected.to eq([public_group]) }
+      end
+
+      describe 'with a user' do
+        subject { finder.execute(user) }
+
+        context 'normal user' do
+          it { is_expected.to eq([public_group, internal_group]) }
+        end
+
+        context 'external user' do
+          let(:user) { create(:user, external: true) }
+
+          it { is_expected.to eq([public_group]) }
+        end
+      end
+    end
+  end
+end
diff --git a/spec/finders/joined_groups_finder_spec.rb b/spec/finders/joined_groups_finder_spec.rb
new file mode 100644
index 00000000000..f90a8e007c8
--- /dev/null
+++ b/spec/finders/joined_groups_finder_spec.rb
@@ -0,0 +1,77 @@
+require 'spec_helper'
+
+describe JoinedGroupsFinder do
+  describe '#execute' do
+    let!(:profile_owner)    { create(:user) }
+    let!(:profile_visitor)  { create(:user) }
+
+    let!(:private_group)    { create(:group, :private) }
+    let!(:private_group_2)  { create(:group, :private) }
+    let!(:internal_group)   { create(:group, :internal) }
+    let!(:internal_group_2) { create(:group, :internal) }
+    let!(:public_group)     { create(:group, :public) }
+    let!(:public_group_2)   { create(:group, :public) }
+    let!(:finder) { described_class.new(profile_owner) }
+
+    context 'without a user' do
+      before do
+        public_group.add_master(profile_owner)
+      end
+
+      it 'only shows public groups from profile owner' do
+        expect(finder.execute).to eq([public_group])
+      end
+    end
+
+    context "with a user" do
+      before do
+        private_group.add_master(profile_owner)
+        internal_group.add_master(profile_owner)
+        public_group.add_master(profile_owner)
+      end
+
+      context "when the profile visitor is in the private group" do
+        before do
+          private_group.add_developer(profile_visitor)
+        end
+
+        it 'only shows groups where both users are authorized to see' do
+          expect(finder.execute(profile_visitor)).to eq([public_group, internal_group, private_group])
+        end
+      end
+
+      context 'if profile visitor is in one of the private group projects' do
+        before do
+          project = create(:project, :private, group: private_group, name: 'B', path: 'B')
+          project.team.add_user(profile_visitor, Gitlab::Access::DEVELOPER)
+        end
+
+        it 'shows group' do
+          expect(finder.execute(profile_visitor)).to eq([public_group, internal_group, private_group])
+        end
+      end
+
+      context 'external users' do
+        before do
+          profile_visitor.update_attributes(external: true)
+        end
+
+        context 'if not a member' do
+          it "does not show internal groups" do
+            expect(finder.execute(profile_visitor)).to eq([public_group])
+          end
+        end
+
+        context "if authorized" do
+          before do
+            internal_group.add_master(profile_visitor)
+          end
+
+          it "shows internal groups if authorized" do
+            expect(finder.execute(profile_visitor)).to eq([public_group, internal_group])
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/spec/finders/personal_projects_finder_spec.rb b/spec/finders/personal_projects_finder_spec.rb
index 38817add456..a4681fe59d8 100644
--- a/spec/finders/personal_projects_finder_spec.rb
+++ b/spec/finders/personal_projects_finder_spec.rb
@@ -1,19 +1,17 @@
 require 'spec_helper'
 
 describe PersonalProjectsFinder do
-  let(:source_user) { create(:user) }
-  let(:current_user) { create(:user) }
+  let(:source_user)     { create(:user) }
+  let(:current_user)    { create(:user) }
+  let(:finder)          { described_class.new(source_user) }
+  let!(:public_project) { create(:project, :public, namespace: source_user.namespace) }
 
-  let(:finder) { described_class.new(source_user) }
-
-  let!(:public_project) do
-    create(:project, :public, namespace: source_user.namespace, name: 'A',
-                              path: 'A')
+  let!(:private_project) do
+    create(:project, :private, namespace: source_user.namespace, path: 'mepmep')
   end
 
-  let!(:private_project) do
-    create(:project, :private, namespace: source_user.namespace, name: 'B',
-                               path: 'B')
+  let!(:internal_project) do
+    create(:project, :internal, namespace: source_user.namespace, path: 'C')
   end
 
   before do
@@ -29,6 +27,14 @@ describe PersonalProjectsFinder do
   describe 'with a current user' do
     subject { finder.execute(current_user) }
 
-    it { is_expected.to eq([private_project, public_project]) }
+    context 'normal user' do
+      it { is_expected.to eq([internal_project, private_project, public_project]) }
+    end
+
+    context 'external' do
+      before { current_user.update_attributes(external: true) }
+
+      it { is_expected.to eq([private_project, public_project]) }
+    end
   end
 end
diff --git a/spec/finders/projects_finder_spec.rb b/spec/finders/projects_finder_spec.rb
index fae0da9d898..0a1cc3b3df7 100644
--- a/spec/finders/projects_finder_spec.rb
+++ b/spec/finders/projects_finder_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe ProjectsFinder do
   describe '#execute' do
     let(:user) { create(:user) }
-    let(:group) { create(:group) }
+    let(:group) { create(:group, :public) }
 
     let!(:private_project) do
       create(:project, :private, name: 'A', path: 'A')
diff --git a/spec/finders/snippets_finder_spec.rb b/spec/finders/snippets_finder_spec.rb
index 7fdc5e5d7aa..810016c9658 100644
--- a/spec/finders/snippets_finder_spec.rb
+++ b/spec/finders/snippets_finder_spec.rb
@@ -3,7 +3,7 @@ require 'spec_helper'
 describe SnippetsFinder do
   let(:user) { create :user }
   let(:user1) { create :user }
-  let(:group) { create :group }
+  let(:group) { create :group, :public }
 
   let(:project1) { create(:empty_project, :public,  group: group) }
   let(:project2) { create(:empty_project, :private, group: group) }
diff --git a/spec/helpers/groups_helper.rb b/spec/helpers/groups_helper_spec.rb
index 4ea90a80a92..4ea90a80a92 100644
--- a/spec/helpers/groups_helper.rb
+++ b/spec/helpers/groups_helper_spec.rb
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index 86cbd29830c..c258cfebd73 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -11,16 +11,8 @@ describe ProjectsHelper do
 
   describe "can_change_visibility_level?" do
     let(:project) { create(:project) }
-
-    let(:fork_project) do
-      fork_project = create(:forked_project_with_submodules)
-      fork_project.build_forked_project_link(forked_to_project_id: fork_project.id, forked_from_project_id: project.id)
-      fork_project.save
-
-      fork_project
-    end
-
     let(:user) { create(:user) }
+    let(:fork_project) { Projects::ForkService.new(project, user).execute }
 
     it "returns false if there are no appropriate permissions" do
       allow(helper).to receive(:can?) { false }
diff --git a/spec/helpers/visibility_level_helper_spec.rb b/spec/helpers/visibility_level_helper_spec.rb
index cd7596a763d..ff98249570d 100644
--- a/spec/helpers/visibility_level_helper_spec.rb
+++ b/spec/helpers/visibility_level_helper_spec.rb
@@ -8,6 +8,7 @@ describe VisibilityLevelHelper do
   end
 
   let(:project)          { build(:project) }
+  let(:group)            { build(:group) }
   let(:personal_snippet) { build(:personal_snippet) }
   let(:project_snippet)  { build(:project_snippet) }
 
@@ -19,6 +20,13 @@ describe VisibilityLevelHelper do
       end
     end
 
+    context 'used with a Group' do
+      it 'delegates groups to #group_visibility_level_description' do
+        expect(visibility_level_description(Gitlab::VisibilityLevel::PRIVATE, group))
+            .to match /group/i
+      end
+    end
+
     context 'called with a Snippet' do
       it 'delegates snippets to #snippet_visibility_level_description' do
         expect(visibility_level_description(Gitlab::VisibilityLevel::INTERNAL, project_snippet))
@@ -58,13 +66,8 @@ describe VisibilityLevelHelper do
 
   describe "skip_level?" do
     describe "forks" do
-      let(:project) { create(:project, :internal) }
-      let(:fork_project) { create(:forked_project_with_submodules) }
-
-      before do
-        fork_project.build_forked_project_link(forked_to_project_id: fork_project.id, forked_from_project_id: project.id)
-        fork_project.save
-      end
+      let(:project)       { create(:project, :internal) }
+      let(:fork_project)  { create(:project, forked_from_project: project) }
 
       it "skips levels" do
         expect(skip_level?(fork_project, Gitlab::VisibilityLevel::PUBLIC)).to be_truthy
diff --git a/spec/lib/banzai/filter/redactor_filter_spec.rb b/spec/lib/banzai/filter/redactor_filter_spec.rb
index 9acf6304bcb..c2c2fd0eb6a 100644
--- a/spec/lib/banzai/filter/redactor_filter_spec.rb
+++ b/spec/lib/banzai/filter/redactor_filter_spec.rb
@@ -119,7 +119,7 @@ describe Banzai::Filter::RedactorFilter, lib: true do
     context 'with data-group' do
       it 'removes unpermitted Group references' do
         user = create(:user)
-        group = create(:group)
+        group = create(:group, :private)
 
         link = reference_link(group: group.id, reference_filter: 'UserReferenceFilter')
         doc = filter(link, current_user: user)
@@ -129,7 +129,7 @@ describe Banzai::Filter::RedactorFilter, lib: true do
 
       it 'allows permitted Group references' do
         user = create(:user)
-        group = create(:group)
+        group = create(:group, :private)
         group.add_developer(user)
 
         link = reference_link(group: group.id, reference_filter: 'UserReferenceFilter')
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index c9245fc9535..7bfca1e72c3 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -56,6 +56,23 @@ describe Group, models: true do
     end
   end
 
+  describe 'scopes' do
+    let!(:private_group)  { create(:group, :private)  }
+    let!(:internal_group) { create(:group, :internal) }
+
+    describe 'public_only' do
+      subject { described_class.public_only.to_a }
+
+      it{ is_expected.to eq([group]) }
+    end
+
+    describe 'public_and_internal_only' do
+      subject { described_class.public_and_internal_only.to_a }
+
+      it{ is_expected.to match_array([group, internal_group]) }
+    end
+  end
+
   describe '#to_reference' do
     it 'returns a String reference to the object' do
       expect(group.to_reference).to eq "@#{group.name}"
diff --git a/spec/models/project_security_spec.rb b/spec/models/project_security_spec.rb
index 3643ad1b052..e12258c0874 100644
--- a/spec/models/project_security_spec.rb
+++ b/spec/models/project_security_spec.rb
@@ -18,11 +18,11 @@ describe Project, models: true do
     let(:report_actions) { Ability.project_report_rules }
     let(:dev_actions) { Ability.project_dev_rules }
     let(:master_actions) { Ability.project_master_rules }
-    let(:admin_actions) { Ability.project_admin_rules }
+    let(:owner_actions) { Ability.project_owner_rules }
 
     describe "Non member rules" do
       it "should deny for non-project users any actions" do
-        admin_actions.each do |action|
+        owner_actions.each do |action|
           expect(@abilities.allowed?(@u1, action, @p1)).to be_falsey
         end
       end
@@ -90,20 +90,20 @@ describe Project, models: true do
       end
     end
 
-    describe "Admin Rules" do
+    describe "Owner Rules" do
       before do
         @p1.project_members.create(project: @p1, user: @u2, access_level: ProjectMember::DEVELOPER)
         @p1.project_members.create(project: @p1, user: @u3, access_level: ProjectMember::MASTER)
       end
 
       it "should deny for masters admin-specific actions" do
-        [admin_actions - master_actions].each do |action|
+        [owner_actions - master_actions].each do |action|
           expect(@abilities.allowed?(@u2, action, @p1)).to be_falsey
         end
       end
 
       it "should allow for project owner any admin actions" do
-        admin_actions.each do |action|
+        owner_actions.each do |action|
           expect(@abilities.allowed?(@u4, action, @p1)).to be_truthy
         end
       end
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 624022c1dda..20f06f4b7e1 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -442,7 +442,7 @@ describe Project, models: true do
   end
 
   describe '.trending' do
-    let(:group)    { create(:group) }
+    let(:group)    { create(:group, :public) }
     let(:project1) { create(:empty_project, :public, group: group) }
     let(:project2) { create(:empty_project, :public, group: group) }
 
@@ -571,12 +571,8 @@ describe Project, models: true do
     end
 
     context 'when checking on forked project' do
-      let(:forked_project) { create :forked_project_with_submodules }
-
-      before do
-        forked_project.build_forked_project_link(forked_to_project_id: forked_project.id, forked_from_project_id: project.id)
-        forked_project.save
-      end
+      let(:project)        { create(:project, :internal) }
+      let(:forked_project) { create(:project, forked_from_project: project) }
 
       it { expect(forked_project.visibility_level_allowed?(Gitlab::VisibilityLevel::PRIVATE)).to be_truthy }
       it { expect(forked_project.visibility_level_allowed?(Gitlab::VisibilityLevel::INTERNAL)).to be_truthy }
@@ -721,6 +717,22 @@ describe Project, models: true do
     end
   end
 
+  context 'when checking projects from groups' do
+    let(:private_group)    { create(:group, visibility_level: 0)  }
+    let(:internal_group)   { create(:group, visibility_level: 10) }
+
+    let(:private_project)  { create :project, :private, group: private_group }
+    let(:internal_project) { create :project, :internal, group: internal_group }
+
+    context 'when group is private project can not be internal' do
+      it { expect(private_project.visibility_level_allowed?(Gitlab::VisibilityLevel::INTERNAL)).to be_falsey }
+    end
+
+    context 'when group is internal project can not be public' do
+      it { expect(internal_project.visibility_level_allowed?(Gitlab::VisibilityLevel::PUBLIC)).to be_falsey }
+    end
+  end
+
   describe '#create_repository' do
     let(:project) { create(:project) }
     let(:shell) { Gitlab::Shell.new }
diff --git a/spec/requests/api/group_members_spec.rb b/spec/requests/api/group_members_spec.rb
index dd5baa44cb2..3e8b4aa1f88 100644
--- a/spec/requests/api/group_members_spec.rb
+++ b/spec/requests/api/group_members_spec.rb
@@ -11,7 +11,7 @@ describe API::API, api: true  do
   let(:stranger) { create(:user) }
 
   let!(:group_with_members) do
-    group = create(:group)
+    group = create(:group, :private)
     group.add_users([reporter.id], GroupMember::REPORTER)
     group.add_users([developer.id], GroupMember::DEVELOPER)
     group.add_users([master.id], GroupMember::MASTER)
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index 4cfa49d1566..41c9cacd455 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -9,7 +9,7 @@ describe API::API, api: true  do
   let(:admin) { create(:admin) }
   let(:avatar_file_path) { File.join(Rails.root, 'spec', 'fixtures', 'banana_sample.gif') }
   let!(:group1) { create(:group, avatar: File.open(avatar_file_path)) }
-  let!(:group2) { create(:group) }
+  let!(:group2) { create(:group, :private) }
   let!(:project1) { create(:project, namespace: group1) }
   let!(:project2) { create(:project, namespace: group2) }
 
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index a6699cdc81c..a5d4985dc78 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -275,6 +275,7 @@ describe API::API, api: true  do
 
       it 'should not allow a non-admin to use a restricted visibility level' do
         post api('/projects', user), @project
+
         expect(response.status).to eq(400)
         expect(json_response['message']['visibility_level'].first).to(
           match('restricted by your GitLab administrator')
diff --git a/spec/services/create_snippet_service_spec.rb b/spec/services/create_snippet_service_spec.rb
index c800dea04fa..7a850066bf8 100644
--- a/spec/services/create_snippet_service_spec.rb
+++ b/spec/services/create_snippet_service_spec.rb
@@ -23,7 +23,7 @@ describe CreateSnippetService, services: true do
       snippet = create_snippet(nil, @user, @opts)
       expect(snippet.errors.messages).to have_key(:visibility_level)
       expect(snippet.errors.messages[:visibility_level].first).to(
-        match('Public visibility has been restricted')
+        match('has been restricted')
       )
     end
 
diff --git a/spec/services/groups/create_service_spec.rb b/spec/services/groups/create_service_spec.rb
new file mode 100644
index 00000000000..6aefb48a4e8
--- /dev/null
+++ b/spec/services/groups/create_service_spec.rb
@@ -0,0 +1,20 @@
+require 'spec_helper'
+
+describe Groups::CreateService, services: true do
+  let!(:user)         { create(:user) }
+  let!(:group_params) { { path: "group_path", visibility_level: Gitlab::VisibilityLevel::PUBLIC } }
+
+  describe "execute" do
+    let!(:service) { described_class.new(user, group_params ) }
+    subject { service.execute }
+
+    context "create groups without restricted visibility level" do
+      it { is_expected.to be_persisted }
+    end
+
+    context "cannot create group with restricted visibility level" do
+      before { allow(current_application_settings).to receive(:restricted_visibility_levels).and_return([Gitlab::VisibilityLevel::PUBLIC]) }
+      it { is_expected.to_not be_persisted }
+    end
+  end
+end
diff --git a/spec/services/groups/update_service_spec.rb b/spec/services/groups/update_service_spec.rb
new file mode 100644
index 00000000000..9c2331144a0
--- /dev/null
+++ b/spec/services/groups/update_service_spec.rb
@@ -0,0 +1,52 @@
+require 'spec_helper'
+
+describe Groups::UpdateService, services: true do
+  let!(:user)             { create(:user) }
+  let!(:private_group)    { create(:group, :private) }
+  let!(:internal_group)   { create(:group, :internal) }
+  let!(:public_group)     { create(:group, :public) }
+
+  describe "#execute" do
+    context "project visibility_level validation" do
+      context "public group with public projects" do
+        let!(:service) { described_class.new(public_group, user, visibility_level: Gitlab::VisibilityLevel::INTERNAL ) }
+
+        before do
+          public_group.add_user(user, Gitlab::Access::MASTER)
+          create(:project, :public, group: public_group)
+        end
+
+        it "does not change permission level" do
+          service.execute
+          expect(public_group.errors.count).to eq(1)
+        end
+      end
+
+      context "internal group with internal project" do
+        let!(:service) { described_class.new(internal_group, user, visibility_level: Gitlab::VisibilityLevel::PRIVATE ) }
+
+        before do
+          internal_group.add_user(user, Gitlab::Access::MASTER)
+          create(:project, :internal, group: internal_group)
+        end
+
+        it "does not change permission level" do
+          service.execute
+          expect(internal_group.errors.count).to eq(1)
+        end
+      end
+    end
+  end
+
+  context "unauthorized visibility_level validation" do
+    let!(:service) { described_class.new(internal_group, user, visibility_level: 99 ) }
+    before do
+      internal_group.add_user(user, Gitlab::Access::MASTER)
+    end
+
+    it "does not change permission level" do
+      service.execute
+      expect(internal_group.errors.count).to eq(1)
+    end
+  end
+end
diff --git a/spec/services/update_snippet_service_spec.rb b/spec/services/update_snippet_service_spec.rb
index 48d114896d0..37c2e861362 100644
--- a/spec/services/update_snippet_service_spec.rb
+++ b/spec/services/update_snippet_service_spec.rb
@@ -25,7 +25,7 @@ describe UpdateSnippetService, services: true do
       update_snippet(@project, @user, @snippet, @opts)
       expect(@snippet.errors.messages).to have_key(:visibility_level)
       expect(@snippet.errors.messages[:visibility_level].first).to(
-        match('Public visibility has been restricted')
+        match('has been restricted')
       )
       expect(@snippet.visibility_level).to eq(old_visibility)
     end
diff --git a/spec/support/matchers/access_matchers.rb b/spec/support/matchers/access_matchers.rb
index 4e007c777e3..0497e391860 100644
--- a/spec/support/matchers/access_matchers.rb
+++ b/spec/support/matchers/access_matchers.rb
@@ -28,7 +28,7 @@ module AccessMatchers
     if user.kind_of?(User)
       # User#inspect displays too much information for RSpec's description
       # messages
-      "be #{type} for supplied User"
+      "be #{type} for the specified user"
     else
       "be #{type} for #{user}"
     end