diff --git a/app/controllers/api/v1/advisories_controller.rb b/app/controllers/api/v1/advisories_controller.rb
index 9e90f748d..c7addc632 100644
--- a/app/controllers/api/v1/advisories_controller.rb
+++ b/app/controllers/api/v1/advisories_controller.rb
@@ -17,8 +17,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   def create
     @advisory = @build_list.build_and_associate_advisory(params[:advisory])
-    if @build_list.status == BuildList::BUILD_PUBLISHED &&
-        @advisory.save && @build_list.save
+    if may_be_published? && @advisory.save && @build_list.save
       render_json_response @advisory, 'Advisory has been created successfully'
     else
       render_validation_error @advisory, error_message(@build_list, 'Advisory has not been created')
@@ -26,7 +25,7 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
   end
 
   def update
-    if @advisory && @build_list.status == BuildList::BUILD_PUBLISHED &&
+    if @advisory && may_be_published?
         @advisory.attach_build_list(@build_list) &&
         @advisory.save && @build_list.save
       render_json_response @advisory, "Build list '#{@build_list.id}' has been attached to advisory successfully"
@@ -39,7 +38,13 @@ class Api::V1::AdvisoriesController < Api::V1::BaseController
 
   def find_build_list
     @build_list = BuildList.find params[:build_list_id]
-    authorize! :publish, @build_list
+  end
+
+  def may_be_published?
+    !@build_list.save_to_repository.publish_without_qa &&
+      can?(:update, @build_list.save_to_platform) &&
+      @build_list.save_to_platform.released &&
+      @build_list.status == BuildList::BUILD_PUBLISHED
   end
 
 end
diff --git a/spec/controllers/api/v1/advisories_controller_spec.rb b/spec/controllers/api/v1/advisories_controller_spec.rb
index cbac3a514..bb7114c7f 100644
--- a/spec/controllers/api/v1/advisories_controller_spec.rb
+++ b/spec/controllers/api/v1/advisories_controller_spec.rb
@@ -88,6 +88,8 @@ describe Api::V1::AdvisoriesController do
 
     @advisory = FactoryGirl.create(:advisory)
     @build_list = FactoryGirl.create(:build_list_core)
+    @build_list.save_to_platform.update_column(:released, true)
+    @build_list.save_to_repository.update_column(:publish_without_qa, false)
     @build_list.update_column(:status, BuildList::BUILD_PUBLISHED)
   end
 
@@ -131,7 +133,6 @@ describe Api::V1::AdvisoriesController do
   context 'for user who has access to update build_list' do
     before do
       @user = FactoryGirl.create(:user)
-      @build_list.project.relations.create(:role => 'admin', :actor => @user)
       @build_list.save_to_platform.relations.create(:role => 'admin', :actor => @user)
       http_login(@user)
     end