diff --git a/attract/__init__.py b/attract/__init__.py
index 85b1029..3fb6f7a 100644
--- a/attract/__init__.py
+++ b/attract/__init__.py
@@ -166,11 +166,12 @@ class AttractExtension(PillarExtension):
         return True
 
     def sidebar_links(self, project):
+        from pillar.api.utils import str2id
 
         if not self.is_attract_project(project):
             return ''
 
-        if not self.auth.current_user_may(auth.Actions.VIEW):
+        if not self.auth.current_user_may(auth.Actions.VIEW, str2id(project['_id'])):
             return ''
 
         return flask.render_template('attract/sidebar.html',
diff --git a/attract/auth.py b/attract/auth.py
index aea38db..5b1fdfc 100644
--- a/attract/auth.py
+++ b/attract/auth.py
@@ -61,7 +61,7 @@ class Auth(object):
         intersection = require_roles.intersection(user_roles)
         return bool(intersection)
 
-    def current_user_may(self, action: Actions) -> bool:
+    def current_user_may(self, action: Actions, project_id: bson.ObjectId=None) -> bool:
         """Returns True iff the user is authorised to use/view Attract on the current project.
 
         Requires that determine_user_rights() was called before.
@@ -70,9 +70,13 @@ class Auth(object):
         try:
             attract_rights = flask.g.attract_rights
         except AttributeError:
-            self._log.error('current_user_may() called without previous call '
-                            'to current_user_rights()')
-            return False
+            if not project_id:
+                self._log.error('current_user_may() called without previous call '
+                                'to current_user_rights()')
+                return False
+
+            self.determine_user_rights(project_id)
+            attract_rights = flask.g.attract_rights
 
         return action in attract_rights