diff --git a/ee/app/graphql/resolvers/merge_trains/trains_resolver.rb b/ee/app/graphql/resolvers/merge_trains/trains_resolver.rb
index 2eb5f93853500655a44084fb3130cdc7343e83dd..3d4bb0f87ece2e20dd03b1a798d1ed3188e33390 100644
--- a/ee/app/graphql/resolvers/merge_trains/trains_resolver.rb
+++ b/ee/app/graphql/resolvers/merge_trains/trains_resolver.rb
@@ -33,7 +33,7 @@ def merge_trains_available?
       end
 
       def authorize!
-        current_user.can?(:read_merge_train, project) || raise_resource_not_available_error!
+        Ability.allowed?(current_user, :read_merge_train, project) || raise_resource_not_available_error!
       end
     end
   end
diff --git a/ee/spec/requests/api/graphql/merge_trains/trains_spec.rb b/ee/spec/requests/api/graphql/merge_trains/trains_spec.rb
index 6bc8ff87ad868206184bdfe15d50fb0ccd8df221..7fa960331f8e4373fc6d4301cdc578805cee3a19 100644
--- a/ee/spec/requests/api/graphql/merge_trains/trains_spec.rb
+++ b/ee/spec/requests/api/graphql/merge_trains/trains_spec.rb
@@ -6,7 +6,8 @@
   include GraphqlHelpers
   include MergeTrainsHelpers
 
-  let_it_be(:target_project) { create(:project, :repository) }
+  let_it_be(:private_project) { create(:project, :repository) }
+  let(:target_project) { private_project }
   let(:car_fields) do
     <<~QUERY
       nodes {
@@ -66,16 +67,16 @@
   end
 
   before_all do
-    target_project.ci_cd_settings.update!(merge_trains_enabled: true)
-    target_project.add_reporter(reporter)
-    target_project.add_guest(guest)
-    target_project.add_maintainer(maintainer)
-    create_merge_request_on_train(project: target_project, author: maintainer)
-    create_merge_request_on_train(project: target_project, source_branch: 'branch-1', author: maintainer)
-    create_merge_request_on_train(project: target_project, source_branch: 'branch-2', status: :merged,
+    private_project.ci_cd_settings.update!(merge_trains_enabled: true)
+    private_project.add_reporter(reporter)
+    private_project.add_guest(guest)
+    private_project.add_maintainer(maintainer)
+    create_merge_request_on_train(project: private_project, author: maintainer)
+    create_merge_request_on_train(project: private_project, source_branch: 'branch-1', author: maintainer)
+    create_merge_request_on_train(project: private_project, source_branch: 'branch-2', status: :merged,
       author: maintainer)
-    create_merge_request_on_train(project: target_project, target_branch: 'feature-1', author: maintainer)
-    create_merge_request_on_train(project: target_project, target_branch: 'feature-2', status: :merged,
+    create_merge_request_on_train(project: private_project, target_branch: 'feature-1', author: maintainer)
+    create_merge_request_on_train(project: private_project, target_branch: 'feature-2', status: :merged,
       author: maintainer)
     create(:merge_train_car, target_project: create(:project), target_branch: 'master')
   end
@@ -108,6 +109,7 @@
 
     it 'returns a resource not available error' do
       post_query
+
       expect_graphql_errors_to_include(
         "The resource that you are attempting to access does not exist " \
           "or you don't have permission to perform this action"
@@ -130,6 +132,50 @@
     end
   end
 
+  context 'when logged out' do
+    let(:user) { nil }
+
+    context 'with a public project' do
+      let_it_be(:public_project) { create(:project, :public) }
+      let(:target_project) { public_project }
+
+      before_all do
+        public_project.ci_cd_settings.update!(merge_trains_enabled: true)
+        create_merge_request_on_train(project: public_project, author: maintainer)
+        create_merge_request_on_train(project: public_project, target_branch: 'feature-1', author: maintainer)
+      end
+
+      it_behaves_like 'fetches the requested trains' do
+        let(:expected_branches) { %w[master feature-1] }
+
+        before do
+          public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::ENABLED)
+        end
+      end
+
+      context 'when merge request access level is PRIVATE' do
+        it 'returns a resource not available error' do
+          public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+
+          post_query
+
+          expect_graphql_errors_to_include(
+            "The resource that you are attempting to access does not exist " \
+              "or you don't have permission to perform this action"
+          )
+        end
+      end
+    end
+
+    context 'with a private project' do
+      it 'returns nil for project' do
+        post_query
+
+        expect(graphql_data_at(:project)).to be_nil
+      end
+    end
+  end
+
   context 'when the user has the right permissions' do
     context 'when only the project is provided' do
       it_behaves_like 'fetches the requested trains' do