diff --git a/app/finders/banzai/uploads_finder.rb b/app/finders/banzai/uploads_finder.rb
index e05e426e27e9ef471d8caaa3244e06b840a48f4f..28dc83b907c337f8405f6d720d3bf3ec4cf3f5ef 100644
--- a/app/finders/banzai/uploads_finder.rb
+++ b/app/finders/banzai/uploads_finder.rb
@@ -2,6 +2,8 @@
 
 module Banzai
   class UploadsFinder
+    include FinderMethods
+
     def initialize(parent:)
       @parent = parent
     end
diff --git a/app/models/upload.rb b/app/models/upload.rb
index bad9fb660af983f788449ef4da4a6dbd47fb7c56..1ebcac75baaeba1a0985a9049007a747748369e7 100644
--- a/app/models/upload.rb
+++ b/app/models/upload.rb
@@ -20,6 +20,7 @@ class Upload < ApplicationRecord
   scope :for_model_type_and_id, ->(type, id) { where(model_type: type, model_id: id) }
   scope :for_uploader, ->(uploader_class) { where(uploader: uploader_class.to_s) }
   scope :order_by_created_at_desc, -> { reorder(created_at: :desc) }
+  scope :preload_uploaded_by_user, -> { preload(:uploaded_by_user) }
 
   before_save :calculate_checksum!, if: :foreground_checksummable?
   # as the FileUploader is not mounted, the default CarrierWave ActiveRecord
@@ -98,7 +99,7 @@ def build_uploader(mounted_as = nil)
   # @return [GitlabUploader] one of the subclasses, defined at the model's uploader attribute
   def retrieve_uploader(mounted_as = nil)
     build_uploader(mounted_as).tap do |uploader|
-      uploader.retrieve_from_store!(identifier)
+      uploader.retrieve_from_store!(filename)
     end
   end
 
@@ -124,7 +125,7 @@ def exist?
 
   def uploader_context
     {
-      identifier: identifier,
+      identifier: filename,
       secret: secret,
       uploaded_by_user_id: uploaded_by_user_id
     }.compact
@@ -144,6 +145,10 @@ def needs_checksum?
     checksum.nil? && local? && exist?
   end
 
+  def filename
+    File.basename(path)
+  end
+
   private
 
   def delete_file!
@@ -166,10 +171,6 @@ def uploader_class
     Object.const_get(uploader, false)
   end
 
-  def identifier
-    File.basename(path)
-  end
-
   def mount_point
     super&.to_sym
   end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index a9ad133c0234bebce5a51c1c81765998d2db1be5..249c52bf330b9d326630c451e8fcb6798013020e 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -256,6 +256,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :create_jira_connect_subscription
     enable :maintainer_access
     enable :read_upload
+    enable :admin_upload
     enable :destroy_upload
     enable :admin_push_rules
   end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 09312d4e883f95c99bdfae8d7432e3d1f9901cbb..c8659478d4b438843ae428c24de6bf75dd898fcd 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -613,6 +613,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_project_aws
     enable :admin_secure_files
     enable :read_upload
+    enable :admin_upload
     enable :destroy_upload
     enable :admin_incident_management_timeline_event_tag
     enable :stop_environment
diff --git a/doc/api/groups.md b/doc/api/groups.md
index 170e2f41d91f806a83e003c4b8b14e54623e39e3..6d47b06dc1c95ff1c571a7f55c4559c90cc827b4 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -1701,6 +1701,99 @@ Example response:
 }
 ```
 
+## Markdown uploads
+
+Markdown uploads are files uploaded to a group that can be referenced in Markdown text in an epic or wiki page.
+
+### List uploads
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+Get all uploads of the group sorted by `created_at` in descending order.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /groups/:id/uploads
+```
+
+| Attribute | Type              | Required | Description |
+|-----------|-------------------|----------|-------------|
+| `id`      | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads"
+```
+
+Returned object:
+
+```json
+[
+  {
+    "id": 1,
+    "size": 1024,
+    "filename": "image.png",
+    "created_at":"2024-06-20T15:53:03.067Z",
+    "uploaded_by": {
+      "id": 18,
+      "name" : "Alexandra Bashirian",
+      "username" : "eileen.lowe"
+    }
+  },
+  {
+    "id": 2,
+    "size": 512,
+    "filename": "other-image.png",
+    "created_at":"2024-06-19T15:53:03.067Z",
+    "uploaded_by": null
+  }
+]
+```
+
+### Download an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /groups/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads/1"
+```
+
+### Delete an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+DELETE /groups/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the group](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/5/uploads/1"
+```
+
 ## Hooks
 
 DETAILS:
@@ -2433,11 +2526,11 @@ DELETE /groups/:id/push_rule
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/371117) in GitLab 17.2 [with a flag](../administration/feature_flags.md) named `group_agnostic_token_revocation`. Disabled by default.
 
 FLAG:
-The availability of this feature is controlled by a feature flag. 
+The availability of this feature is controlled by a feature flag.
 For more information, see the history.
 
 Revoke a token, if it has access to the group or any of its subgroups
-and projects. If the token is revoked, or was already revoked, its 
+and projects. If the token is revoked, or was already revoked, its
 details are returned in the response.
 
 The following criteria must be met:
diff --git a/doc/api/projects.md b/doc/api/projects.md
index 7de24c1817191f468e0d44c4b959a98a2c911f73..e3cc29d84fe7d9b0eec48f67ca03d7d26207765a 100644
--- a/doc/api/projects.md
+++ b/doc/api/projects.md
@@ -2599,7 +2599,11 @@ POST /projects/:id/restore
 |-----------|-------------------|----------|-------------|
 | `id`      | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
 
-## Upload a file
+## Markdown uploads
+
+Markdown uploads are files uploaded to a project that can be referenced in Markdown text in an issue, merge request, snippet, or wiki page.
+
+### Upload a file
 
 > - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112450) in GitLab 15.10. Feature flag `enforce_max_attachment_size_upload_api` removed.
 
@@ -2640,6 +2644,95 @@ The returned `url` is relative to the project path. The returned `full_path` is
 the absolute path to the file. In Markdown contexts, the link is expanded when
 the format in `markdown` is used.
 
+### List uploads
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+Get all uploads of the project sorted by `created_at` in descending order.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /projects/:id/uploads
+```
+
+| Attribute | Type              | Required | Description |
+|-----------|-------------------|----------|-------------|
+| `id`      | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads"
+```
+
+Returned object:
+
+```json
+[
+  {
+    "id": 1,
+    "size": 1024,
+    "filename": "image.png",
+    "created_at":"2024-06-20T15:53:03.067Z",
+    "uploaded_by": {
+      "id": 18,
+      "name" : "Alexandra Bashirian",
+      "username" : "eileen.lowe"
+    }
+  },
+  {
+    "id": 2,
+    "size": 512,
+    "filename": "other-image.png",
+    "created_at":"2024-06-19T15:53:03.067Z",
+    "uploaded_by": null
+  }
+]
+```
+
+### Download an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+GET /projects/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads/1"
+```
+
+### Delete an uploaded file
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) in GitLab 17.2.
+
+You must have at least the Maintainer role to use this endpoint.
+
+```plaintext
+DELETE /projects/:id/uploads/:upload_id
+```
+
+| Attribute   | Type              | Required | Description |
+|-------------|-------------------|----------|-------------|
+| `id`        | integer or string | Yes      | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
+| `upload_id` | integer           | Yes      | The ID of the upload. |
+
+Example request:
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/projects/5/uploads/1"
+```
+
 ## Upload a project avatar
 
 Uploads an avatar to the specified project.
diff --git a/doc/security/user_file_uploads.md b/doc/security/user_file_uploads.md
index b2d6bc18fc04432d0bdda5529c4fb1cc5a80a207..b70378e0acfb56773ca279e27f39bb366e206d87 100644
--- a/doc/security/user_file_uploads.md
+++ b/doc/security/user_file_uploads.md
@@ -65,6 +65,7 @@ You cannot select this option for public projects.
 ## Delete uploaded files
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92791) in GitLab 15.3.
+> - REST API [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/157066) support in GitLab 17.2.
 
 You should delete an uploaded file when that file contains sensitive or confidential information. When you have deleted that file, users cannot access the file and the direct URL returns a 404 error.
 
@@ -87,6 +88,8 @@ mutation{
 
 Project members that do not have the Owner or Maintainer role cannot access this GraphQL endpoint.
 
+You can also use the REST API for [projects](../api/projects.md#delete-an-uploaded-file) or [groups](../api/groups.md#delete-an-uploaded-file) to delete an uploaded file.
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues
diff --git a/lib/api/entities/markdown_upload_admin.rb b/lib/api/entities/markdown_upload_admin.rb
new file mode 100644
index 0000000000000000000000000000000000000000..064e074b722a3f1b56f33e17629cef3297fc4657
--- /dev/null
+++ b/lib/api/entities/markdown_upload_admin.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module API
+  module Entities
+    class MarkdownUploadAdmin < Grape::Entity
+      expose :id
+      expose :size
+      expose :filename
+      expose :created_at
+      expose :uploaded_by_user, as: :uploaded_by, using: Entities::UserSafe
+    end
+  end
+end
diff --git a/lib/api/markdown_uploads.rb b/lib/api/markdown_uploads.rb
index 01bad30b97312439841645360d504ea68b6bf182..e020c9540e4b88afd108033f0a29b93d5285dda7 100644
--- a/lib/api/markdown_uploads.rb
+++ b/lib/api/markdown_uploads.rb
@@ -2,8 +2,21 @@
 
 module API
   class MarkdownUploads < ::API::Base
+    include PaginationParams
+
     feature_category :team_planning
 
+    helpers do
+      def find_uploads(parent)
+        uploads = Banzai::UploadsFinder.new(parent: parent).execute
+        uploads.preload_uploaded_by_user
+      end
+
+      def find_upload(parent, upload_id)
+        Banzai::UploadsFinder.new(parent: parent).find(upload_id)
+      end
+    end
+
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
       desc 'Workhorse authorize the file upload' do
         detail 'This feature was introduced in GitLab 13.11'
@@ -37,6 +50,136 @@ class MarkdownUploads < ::API::Base
 
         present upload, with: Entities::ProjectUpload
       end
+
+      desc 'Get the list of uploads of a project' do
+        success code: 200, model: Entities::MarkdownUploadAdmin
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        is_array true
+        tags %w[projects]
+      end
+      params do
+        use :pagination
+      end
+      get ':id/uploads' do
+        authorize! :admin_upload, user_project
+
+        uploads = find_uploads(user_project)
+
+        present paginate(uploads), with: Entities::MarkdownUploadAdmin
+      end
+
+      desc 'Download a single project upload' do
+        success File
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[projects]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a project upload'
+      end
+      get ':id/uploads/:upload_id' do
+        authorize! :admin_upload, user_project
+
+        upload = find_upload(user_project, params[:upload_id])
+
+        present_carrierwave_file!(upload.retrieve_uploader)
+      end
+
+      desc 'Delete a single project upload' do
+        success code: 204
+        failure [
+          { code: 400, message: 'Bad request' },
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[projects]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a project upload'
+      end
+      delete ':id/uploads/:upload_id' do
+        authorize! :destroy_upload, user_project
+
+        upload = find_upload(user_project, params[:upload_id])
+        result = Uploads::DestroyService.new(user_project, current_user).execute(upload)
+
+        if result[:status] == :success
+          status 204
+        else
+          bad_request!(result[:message])
+        end
+      end
+    end
+
+    resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      desc 'Get the list of uploads of a group' do
+        success code: 200, model: Entities::MarkdownUploadAdmin
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        is_array true
+        tags %w[groups]
+      end
+      params do
+        use :pagination
+      end
+      get ':id/uploads' do
+        authorize! :admin_upload, user_group
+
+        uploads = find_uploads(user_group)
+
+        present paginate(uploads), with: Entities::MarkdownUploadAdmin
+      end
+
+      desc 'Download a single group upload' do
+        success File
+        failure [
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[groups]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a group upload'
+      end
+      get ':id/uploads/:upload_id' do
+        authorize! :admin_upload, user_group
+
+        upload = find_upload(user_group, params[:upload_id])
+
+        present_carrierwave_file!(upload.retrieve_uploader)
+      end
+
+      desc 'Delete a single group upload' do
+        success code: 204
+        failure [
+          { code: 400, message: 'Bad request' },
+          { code: 403, message: 'Unauthenticated' },
+          { code: 404, message: 'Not found' }
+        ]
+        tags %w[groups]
+      end
+      params do
+        requires :upload_id, type: Integer, desc: 'The ID of a group upload'
+      end
+      delete ':id/uploads/:upload_id' do
+        authorize! :destroy_upload, user_group
+
+        upload = find_upload(user_group, params[:upload_id])
+        result = Uploads::DestroyService.new(user_group, current_user).execute(upload)
+
+        if result[:status] == :success
+          status 204
+        else
+          bad_request!(result[:message])
+        end
+      end
     end
   end
 end
diff --git a/spec/lib/api/entities/markdown_upload_admin_spec.rb b/spec/lib/api/entities/markdown_upload_admin_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..8c0fac547b352ce4cbbe149490b11d63f4231240
--- /dev/null
+++ b/spec/lib/api/entities/markdown_upload_admin_spec.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe API::Entities::MarkdownUploadAdmin, feature_category: :team_planning do
+  describe '#as_json' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:upload) { create(:upload, :issuable_upload, uploaded_by_user: user) }
+
+    subject { described_class.new(upload).as_json }
+
+    it 'exposes correct attributes' do
+      is_expected.to include(
+        id: upload.id,
+        size: upload.size,
+        filename: upload.filename,
+        created_at: upload.created_at,
+        uploaded_by: {
+          id: user.id,
+          name: user.name,
+          username: user.username
+        }
+      )
+    end
+  end
+end
diff --git a/spec/requests/api/markdown_uploads_spec.rb b/spec/requests/api/markdown_uploads_spec.rb
index a9c329b4923689cea6bde1603ee7b9eb4843a86e..0f373ca60fabdc22928d41019071d33114674fa2 100644
--- a/spec/requests/api/markdown_uploads_spec.rb
+++ b/spec/requests/api/markdown_uploads_spec.rb
@@ -3,8 +3,13 @@
 require 'spec_helper'
 
 RSpec.describe API::MarkdownUploads, feature_category: :team_planning do
+  let_it_be(:group) { create(:group, :private) }
+  let_it_be(:group_maintainer) { create(:user, maintainer_of: group) }
+
   let_it_be(:project) { create(:project, :private) }
-  let_it_be(:user) { create(:user, guest_of: project) }
+  let_it_be(:project_maintainer) { create(:user, maintainer_of: project) }
+
+  let_it_be(:user) { create(:user, guest_of: [project, group]) }
 
   describe "POST /projects/:id/uploads/authorize" do
     include WorkhorseHelpers
@@ -77,4 +82,130 @@
       expect(File.exist?(path)).to be(false)
     end
   end
+
+  shared_examples 'a request from an unauthorized user' do
+    it 'returns 403' do
+      get api(path, user)
+
+      expect(response).to have_gitlab_http_status(:forbidden)
+    end
+  end
+
+  describe "GET /projects/:id/uploads" do
+    let_it_be(:uploads) { create_list(:upload, 3, :issuable_upload, model: project) }
+    let_it_be(:other_upload) { create(:upload, :issuable_upload, model: create(:project)) }
+
+    let(:path) { "/projects/#{project.id}/uploads" }
+
+    it 'returns uploads ordered by created_at' do
+      get api(path, project_maintainer)
+
+      expect_paginated_array_response(uploads.reverse.map(&:id))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /projects/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :issuable_upload, :with_file, model: project, filename: 'test.jpg') }
+
+    let(:path) { "/projects/#{project.id}/uploads/#{upload.id}" }
+
+    it 'returns the uploaded file' do
+      get api(path, project_maintainer)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Content-Disposition'])
+        .to eq(%(attachment; filename="test.jpg"; filename*=UTF-8''test.jpg))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "DELETE /projects/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :issuable_upload, model: project) }
+
+    let(:path) { "/projects/#{project.id}/uploads/#{upload.id}" }
+
+    it 'deletes the given upload' do
+      expect do
+        delete api(path, project_maintainer)
+      end.to change { Upload.count }.by(-1)
+
+      expect(response).to have_gitlab_http_status(:no_content)
+    end
+
+    it 'returns an error when deletion fails' do
+      expect_next_instance_of(Banzai::UploadsFinder) do |finder|
+        expect(finder).to receive(:find).with(upload.id).and_return(upload)
+      end
+      expect(upload).to receive(:destroy).and_return(false)
+
+      delete api(path, project_maintainer)
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['message']).to include(_('Upload could not be deleted.'))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /groups/:id/uploads" do
+    let_it_be(:uploads) { create_list(:upload, 3, :namespace_upload, model: group) }
+    let_it_be(:other_upload) { create(:upload, :namespace_upload, model: create(:group)) }
+
+    let(:path) { "/groups/#{group.id}/uploads" }
+
+    it 'returns uploads ordered by created_at' do
+      get api(path, group_maintainer)
+
+      expect_paginated_array_response(uploads.reverse.map(&:id))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "GET /groups/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :namespace_upload, :with_file, model: group, filename: 'test.jpg') }
+
+    let(:path) { "/groups/#{group.id}/uploads/#{upload.id}" }
+
+    it 'returns the uploaded file' do
+      get api(path, group_maintainer)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response.headers['Content-Disposition'])
+        .to eq(%(attachment; filename="test.jpg"; filename*=UTF-8''test.jpg))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
+
+  describe "DELETE /groups/:id/uploads/:upload_id" do
+    let_it_be(:upload) { create(:upload, :namespace_upload, model: group) }
+
+    let(:path) { "/groups/#{group.id}/uploads/#{upload.id}" }
+
+    it 'deletes the given upload' do
+      expect do
+        delete api(path, group_maintainer)
+      end.to change { Upload.count }.by(-1)
+
+      expect(response).to have_gitlab_http_status(:no_content)
+    end
+
+    it 'returns an error when deletion fails' do
+      expect_next_instance_of(Banzai::UploadsFinder) do |finder|
+        expect(finder).to receive(:find).with(upload.id).and_return(upload)
+      end
+      expect(upload).to receive(:destroy).and_return(false)
+
+      delete api(path, group_maintainer)
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['message']).to include(_('Upload could not be deleted.'))
+    end
+
+    it_behaves_like 'a request from an unauthorized user'
+  end
 end
diff --git a/spec/support/shared_contexts/policies/group_policy_shared_context.rb b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
index 0e41bee4f4f5f6b210c4406e0f6cf6c0dfc68689..d5d37e95deab113cd70bcc58ea028225c7d7a9ef 100644
--- a/spec/support/shared_contexts/policies/group_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/group_policy_shared_context.rb
@@ -63,7 +63,7 @@
       destroy_package
       create_projects
       create_cluster update_cluster admin_cluster add_cluster
-      destroy_upload
+      admin_upload destroy_upload
       admin_achievement
       award_achievement
       read_group_runners
diff --git a/spec/support/shared_contexts/policies/project_policy_shared_context.rb b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
index 452fd74b3478f4a292508b8055930b3cc37a9c9b..83eb86a5b94ec1e2c20c845a1740cf618324667d 100644
--- a/spec/support/shared_contexts/policies/project_policy_shared_context.rb
+++ b/spec/support/shared_contexts/policies/project_policy_shared_context.rb
@@ -70,7 +70,7 @@
       admin_project admin_project_member admin_push_rules admin_runner admin_snippet admin_terraform_state
       admin_wiki create_deploy_token destroy_deploy_token manage_deploy_tokens
       push_to_delete_protected_branch read_deploy_token update_snippet
-      destroy_upload admin_member_access_request rename_project manage_merge_request_settings
+      admin_upload destroy_upload admin_member_access_request rename_project manage_merge_request_settings
       admin_integrations
     ]
   end