2 files changed, 15 insertions, 5 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 386822d3ff6..984e5482288 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -1,17 +1,15 @@
 module Ci
   class BuildPolicy < CommitStatusPolicy
-    condition(:protected_action) do
-      next false unless @subject.action?
-
+    condition(:protected_ref) do
       access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
 
       if @subject.tag?
         !access.can_create_tag?(@subject.ref)
       else
-        !access.can_merge_to_branch?(@subject.ref)
+        !access.can_update_branch?(@subject.ref)
       end
     end
 
-    rule { protected_action }.prevent :update_build
+    rule { protected_ref }.prevent :update_build
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index a2dde95dbc8..4e689a9efd5 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,5 +1,17 @@
 module Ci
   class PipelinePolicy < BasePolicy
     delegate { @subject.project }
+
+    condition(:protected_ref) do
+      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+
+      if @subject.tag?
+        !access.can_create_tag?(@subject.ref)
+      else
+        !access.can_update_branch?(@subject.ref)
+      end
+    end
+
+    rule { protected_ref }.prevent :update_pipeline
   end
 end