1 files changed, 37 insertions, 26 deletions

diff --git a/app/models/ability.rb b/app/models/ability.rb
index d3631d49ec6..f8e5afa9b01 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -31,10 +31,11 @@ class Ability
                 end
 
       if project && project.public?
-        [
+        rules = [
           :read_project,
           :read_wiki,
           :read_issue,
+          :read_label,
           :read_milestone,
           :read_project_snippet,
           :read_project_member,
@@ -42,6 +43,8 @@ class Ability
           :read_note,
           :download_code
         ]
+
+        rules - project_disabled_features_rules(project)
       else
         group = if subject.kind_of?(Group)
                   subject
@@ -102,28 +105,7 @@ class Ability
           rules -= project_archived_rules
         end
 
-        unless project.issues_enabled
-          rules -= named_abilities('issue')
-        end
-
-        unless project.merge_requests_enabled
-          rules -= named_abilities('merge_request')
-        end
-
-        unless project.issues_enabled or project.merge_requests_enabled
-          rules -= named_abilities('label')
-          rules -= named_abilities('milestone')
-        end
-
-        unless project.snippets_enabled
-          rules -= named_abilities('project_snippet')
-        end
-
-        unless project.wiki_enabled
-          rules -= named_abilities('wiki')
-        end
-
-        rules
+        rules - project_disabled_features_rules(project)
       end
     end
 
@@ -158,12 +140,13 @@ class Ability
         :create_project_snippet,
         :update_issue,
         :admin_issue,
-        :admin_label,
+        :admin_label
       ]
     end
 
     def project_dev_rules
       project_report_rules + [
+        :admin_merge_request,
         :create_merge_request,
         :create_wiki,
         :push_code
@@ -205,6 +188,33 @@ class Ability
       ]
     end
 
+    def project_disabled_features_rules(project)
+      rules = []
+
+      unless project.issues_enabled
+        rules += named_abilities('issue')
+      end
+
+      unless project.merge_requests_enabled
+        rules += named_abilities('merge_request')
+      end
+
+      unless project.issues_enabled or project.merge_requests_enabled
+        rules += named_abilities('label')
+        rules += named_abilities('milestone')
+      end
+
+      unless project.snippets_enabled
+        rules += named_abilities('project_snippet')
+      end
+
+      unless project.wiki_enabled
+        rules += named_abilities('wiki')
+      end
+
+      rules
+    end
+
     def group_abilities(user, group)
       rules = []
 
@@ -223,7 +233,8 @@ class Ability
       if group.has_owner?(user) || user.admin?
         rules.push(*[
           :admin_group,
-          :admin_namespace
+          :admin_namespace,
+          :admin_group_member
         ])
       end
 
@@ -285,7 +296,7 @@ class Ability
       rules = []
       target_user = subject.user
       group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)
 
       if can_manage && (user != target_user)
         rules << :update_group_member