diff --git a/CHANGELOG b/CHANGELOG
index 151db5d..97d1299 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -12,6 +12,7 @@ v 7.0.0
   - Make it easier to implement other CI services for GitLab
   - Group masters can create projects in group
   - Deprecate ruby 1.9.3 support
+  - Only masters can rewrite/remove git tags
 
 v 6.9.2
   - Revert the commit that broke the LDAP user filter
diff --git a/app/views/projects/tags/_tag.html.haml b/app/views/projects/tags/_tag.html.haml
index 6629e47..67d771c 100644
--- a/app/views/projects/tags/_tag.html.haml
+++ b/app/views/projects/tags/_tag.html.haml
@@ -17,6 +17,6 @@
       - if can? current_user, :download_code, @project
         = render 'projects/repositories/download_archive', ref: tag.name, btn_class: 'btn-grouped btn-group-small'
       - if can?(current_user, :admin_project, @project)
-        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
+        = link_to project_tag_path(@project, tag.name), class: 'btn btn-small btn-remove remove-row grouped', method: :delete, data: { confirm: 'Removed tag cannot be restored. Are you sure?'}, remote: true do
           %i.icon-trash
 
diff --git a/doc/permissions/permissions.md b/doc/permissions/permissions.md
index 95b47a8..40d748c 100644
--- a/doc/permissions/permissions.md
+++ b/doc/permissions/permissions.md
@@ -27,6 +27,7 @@ If a user is a GitLab administrator they receive all permissions.
 |Add new team members| |||✓|✓|
 |Push to protected branches| |||✓|✓|
 |Enable/Disable branch protection| |||✓|✓|
+|Rewrite/remove git tags| |||✓|✓|
 |Edit project| |||✓|✓|
 |Add Deploy Keys to project| |||✓|✓|
 |Configure Project Hooks| |||✓|✓|
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 2f8b55a..38b3d82 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -53,6 +53,9 @@ module Gitlab
                    else
                      :push_code_to_protected_branches
                    end
+                 elsif project.repository && project.repository.tag_names.include?(ref)
+                   # Prevent any changes to existing git tag unless user has permissions
+                   :admin_project
                  else
                    :push_code
                  end
--
libgit2 0.21.2