diff --git a/src/applications/project/controller/PhabricatorProjectEditController.php b/src/applications/project/controller/PhabricatorProjectEditController.php
index 5091135bec..7c041af93a 100644
--- a/src/applications/project/controller/PhabricatorProjectEditController.php
+++ b/src/applications/project/controller/PhabricatorProjectEditController.php
@@ -24,6 +24,11 @@ final class PhabricatorProjectEditController
 
     $id = $request->getURIData('id');
     if (!$id) {
+      // This capability is checked again later, but checking it here
+      // explicitly gives us a better error message.
+      $this->requireApplicationCapability(
+        ProjectCreateProjectsCapability::CAPABILITY);
+
       $parent_id = head($request->getArr('parent'));
       if (!$parent_id) {
         $parent_id = $request->getStr('parent');
diff --git a/src/applications/project/controller/PhabricatorProjectSubprojectsController.php b/src/applications/project/controller/PhabricatorProjectSubprojectsController.php
index 36f9d641a8..eb32d00b92 100644
--- a/src/applications/project/controller/PhabricatorProjectSubprojectsController.php
+++ b/src/applications/project/controller/PhabricatorProjectSubprojectsController.php
@@ -181,6 +181,9 @@ final class PhabricatorProjectSubprojectsController
     $viewer = $this->getViewer();
     $id = $project->getID();
 
+    $can_create = $this->hasApplicationCapability(
+      ProjectCreateProjectsCapability::CAPABILITY);
+
     $can_edit = PhabricatorPolicyFilter::hasCapability(
       $viewer,
       $project,
@@ -198,7 +201,7 @@ final class PhabricatorProjectSubprojectsController
       $milestone_text = pht('Create Milestone');
     }
 
-    $can_milestone = ($can_edit && $allows_milestones);
+    $can_milestone = ($can_create && $can_edit && $allows_milestones);
     $milestone_href = "/project/edit/?milestone={$id}";
 
     $view->addAction(
@@ -209,7 +212,7 @@ final class PhabricatorProjectSubprojectsController
         ->setDisabled(!$can_milestone)
         ->setWorkflow(!$can_milestone));
 
-    $can_subproject = ($can_edit && $allows_subprojects);
+    $can_subproject = ($can_create && $can_edit && $allows_subprojects);
 
     // If we're offering to create the first subproject, we're going to warn
     // the user about the effects before moving forward.