diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
index e5cd8dc15..8f9a949ad 100644
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -26,9 +26,10 @@ class ProjectsController < ApplicationController
     @project = Project.new params[:project]
     @project.owner = choose_owner
     @who_owns = (@project.owner_type == 'User' ? :me : :group)
+    authorize! :update, @project.owner if @project.owner.class == Group
 
     if @project.save
-      flash[:notice] = t('flash.project.saved') 
+      flash[:notice] = t('flash.project.saved')
       redirect_to @project
     else
       flash[:error] = t('flash.project.save_error')
diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb
index 36b6b12ca..eceef48a5 100644
--- a/spec/controllers/projects_controller_spec.rb
+++ b/spec/controllers/projects_controller_spec.rb
@@ -2,17 +2,17 @@
 require 'spec_helper'
 
 describe ProjectsController do
-  
-	before(:each) do
+
+  before(:each) do
     stub_rsync_methods
 
     @project = FactoryGirl.create(:project)
     @another_user = FactoryGirl.create(:user)
     @create_params = {:project => {:name => 'pro'}}
     @update_params = {:project => {:name => 'pro2'}}
-	end
+  end
 
-	context 'for guest' do
+  context 'for guest' do
     it 'should not be able to perform index action' do
       get :index
       response.should redirect_to(new_user_session_path)
@@ -25,10 +25,10 @@ describe ProjectsController do
   end
 
   context 'for admin' do
-  	before(:each) do
-  		@admin = FactoryGirl.create(:admin)
-  		set_session_for(@admin)
-		end
+    before(:each) do
+      @admin = FactoryGirl.create(:admin)
+      set_session_for(@admin)
+    end
 
     it_should_behave_like 'projects user with admin rights'
     it_should_behave_like 'projects user with reader rights'
@@ -44,12 +44,12 @@ describe ProjectsController do
   end
 
   context 'for owner user' do
-  	before(:each) do
-  		@user = FactoryGirl.create(:user)
-  		set_session_for(@user)
-  		@project.update_attribute(:owner, @user)
-  		@project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'admin')
-		end
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      set_session_for(@user)
+      @project.update_attribute(:owner, @user)
+      @project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'admin')
+    end
 
     it_should_behave_like 'projects user with admin rights'
     it_should_behave_like 'user with rights to view projects'
@@ -67,27 +67,34 @@ describe ProjectsController do
       post :fork, :id => @project.id
       response.should redirect_to(forbidden_path)
     end
+
   end
 
   context 'for reader user' do
-  	before(:each) do
-  		@user = FactoryGirl.create(:user)
-  		set_session_for(@user)
-  		@project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'reader')
-		end
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      set_session_for(@user)
+      @project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'reader')
+    end
 
     it_should_behave_like 'projects user with reader rights'
   end
 
   context 'for writer user' do
-  	before(:each) do
-  		@user = FactoryGirl.create(:user)
-  		set_session_for(@user)
-  		@project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'writer')
-		end
+    before(:each) do
+      @user = FactoryGirl.create(:user)
+      set_session_for(@user)
+      @project.relations.create!(:object_type => 'User', :object_id => @user.id, :role => 'writer')
+    end
 
     it_should_behave_like 'projects user with reader rights'
 
+    it 'should not be able to create project to other group' do
+      group = FactoryGirl.create(:group)
+      post :create, @create_params.merge({:who_owns => 'group', :owner_id => group.id})
+      response.should redirect_to(forbidden_path)
+    end
+
     it 'should not be able to fork project to other group' do
       group = FactoryGirl.create(:group)
       post :fork, :id => @project.id, :group => group.id
@@ -100,11 +107,9 @@ describe ProjectsController do
       post :fork, :id => @project.id, :group => group.id
       response.should redirect_to(project_path(group.projects.first.id))
     end
-
   end
 
   context 'search projects' do
-
     before(:each) do
       @admin = FactoryGirl.create(:admin)
       @project1 = FactoryGirl.create(:project, :name => 'perl-debug')
@@ -117,4 +122,14 @@ describe ProjectsController do
       assigns(:projects).should eq([@project2, @project1])
     end
   end
+
+  context 'for other user' do
+    it 'should not be able to fork hidden project' do
+      @user = FactoryGirl.create(:user)
+      set_session_for(@user)
+      @project.update_attribute(:visibility, 'hidden')
+      post :fork, :id => @project.id
+      response.should redirect_to(forbidden_path)
+    end
+  end
 end