1 files changed, 14 insertions, 14 deletions

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 61a7bf02675..3b0550b4dd6 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -80,8 +80,9 @@ class ProjectPolicy < BasePolicy
   rule { reporter }.enable :reporter_access
   rule { developer }.enable :developer_access
   rule { master }.enable :master_access
+  rule { owner | admin }.enable :owner_access
 
-  rule { owner | admin }.policy do
+  rule { can?(:owner_access) }.policy do
     enable :guest_access
     enable :reporter_access
     enable :developer_access
@@ -98,11 +99,6 @@ class ProjectPolicy < BasePolicy
     enable :remove_pages
   end
 
-  rule { owner | reporter }.policy do
-    enable :build_download_code
-    enable :build_read_container_image
-  end
-
   rule { can?(:guest_access) }.policy do
     enable :read_project
     enable :read_board
@@ -121,6 +117,11 @@ class ProjectPolicy < BasePolicy
     enable :read_cycle_analytics
   end
 
+  # These abilities are not allowed to admins that are not members of the project,
+  # that's why they are defined separatly.
+  rule { guest & can?(:download_code) }.enable :build_download_code
+  rule { guest & can?(:read_container_image) }.enable :build_read_container_image
+
   rule { can?(:reporter_access) }.policy do
     enable :download_code
     enable :download_wiki_code
@@ -140,12 +141,19 @@ class ProjectPolicy < BasePolicy
     enable :read_merge_request
   end
 
+  # We define `:public_user_access` separately because there are cases in gitlab-ee
+  # where we enable or prevent it based on other coditions.
   rule { (~anonymous & public_project) | internal_access }.policy do
     enable :public_user_access
   end
 
   rule { can?(:public_user_access) }.policy do
+    enable :public_access
     enable :guest_access
+
+    enable :fork_project
+    enable :build_download_code
+    enable :build_read_container_image
     enable :request_access
   end
 
@@ -196,14 +204,6 @@ class ProjectPolicy < BasePolicy
     enable :create_cluster
   end
 
-  rule { can?(:public_user_access) }.policy do
-    enable :public_access
-
-    enable :fork_project
-    enable :build_download_code
-    enable :build_read_container_image
-  end
-
   rule { archived }.policy do
     prevent :create_merge_request
     prevent :push_code