diff --git a/app/views/layouts/_init_auto_complete.html.haml b/app/views/layouts/_init_auto_complete.html.haml
index 7b2a291d..800dfbe8 100644
--- a/app/views/layouts/_init_auto_complete.html.haml
+++ b/app/views/layouts/_init_auto_complete.html.haml
@@ -1,6 +1,6 @@
 :javascript
   $(function() {
-    GitLab.GfmAutoComplete.Members.url = "#{ "/api/v2/projects/#{@project.path}/members" if @project }";
+    GitLab.GfmAutoComplete.Members.url = "#{ "/api/v2/projects/#{@project.id}/members" if @project }";
     GitLab.GfmAutoComplete.Members.params.private_token = "#{current_user.private_token}";
 
     GitLab.GfmAutoComplete.Emoji.data = #{raw emoji_autocomplete_source};
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index e9305b40..6bd8111c 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -5,13 +5,18 @@ module Gitlab
     end
 
     def user_project
-      if @project ||= current_user.projects.find_by_id(params[:id]) ||
-                      current_user.projects.find_by_path(params[:id])
-      else
-        not_found!
-      end
+      @project ||= find_project
+      @project || not_found!
+    end
 
-      @project
+    def find_project
+      project = Project.find_by_id(params[:id]) || Project.find_with_namespace(params[:id])
+
+      if project && can?(current_user, :read_project, project)
+        project
+      else
+        nil
+      end
     end
 
     def paginate(object)
@@ -32,6 +37,10 @@ module Gitlab
       end
     end
 
+    def can?(object, action, subject)
+      abilities.allowed?(object, action, subject)
+    end
+
     def attributes_for_keys(keys)
       attrs = {}
       keys.each do |key|