diff --git a/app/controllers/projects/cycle_analytics/events_controller.rb b/app/controllers/projects/cycle_analytics/events_controller.rb
index cc75dc247d3afa5930368474c42ff5f537f2b3bc..cb52dfc830a60e1dbfbb3a2b0c012b4741eba58b 100644
--- a/app/controllers/projects/cycle_analytics/events_controller.rb
+++ b/app/controllers/projects/cycle_analytics/events_controller.rb
@@ -2,7 +2,7 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
   include CycleAnalyticsParams
 
   before_action :authorize_read_cycle_analytics!
-  before_action :authorize_read_builds!, only: [:test, :staging]
+  before_action :authorize_builds!, only: [:test, :staging]
 
   def issue
     render_events(events.issue_events)
@@ -56,4 +56,8 @@ class Projects::CycleAnalytics::EventsController < Projects::ApplicationControll
 
     params[:events].slice(:start_date, :branch_name)
   end
+
+  def authorize_builds!
+    return access_denied! unless current_user.can?(:read_build, project)
+  end
 end
diff --git a/spec/requests/projects/cycle_analytics_events_spec.rb b/spec/requests/projects/cycle_analytics_events_spec.rb
index d4da8707ea5167dffcfd7ccd8ed85e10e5ff34ca..ef6e4c80911f2312e3e127963ceeb9224a91a094 100644
--- a/spec/requests/projects/cycle_analytics_events_spec.rb
+++ b/spec/requests/projects/cycle_analytics_events_spec.rb
@@ -39,7 +39,7 @@ describe 'cycle analytics events' do
 
       newest_sha = commits.sort_by { |k| k['date'] }.first[:sha][0...8]
 
-      expect(json_response['events'].first['sha']).to eq(newest_sha)
+      expect(json_response['events'].first['short_sha']).to eq(newest_sha)
     end
 
     it 'lists the code events' do
@@ -99,6 +99,30 @@ describe 'cycle analytics events' do
         expect(json_response['events'].first['date']).not_to be_empty
       end
     end
+
+    context 'with private project and builds' do
+      before do
+        ProjectMember.first.update(access_level: Gitlab::Access::GUEST)
+      end
+
+      it 'does not list the test events' do
+        get namespace_project_cycle_analytics_test_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it 'does not list the staging events' do
+        get namespace_project_cycle_analytics_staging_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:not_found)
+      end
+
+      it 'lists the issue events' do
+        get namespace_project_cycle_analytics_issue_path(project.namespace, project, format: :json)
+
+        expect(response).to have_http_status(:ok)
+      end
+    end
   end
 
   def json_response