preventing blocked users and their PipelineSchdules from creating new Pipelines

updated several specs and factories to accomodate new permissions

3 files changed, 8 insertions, 4 deletions

diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 5dd2279ef99..82bf9bf8bf6 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -7,6 +7,10 @@ class BasePolicy < DeclarativePolicy::Base
   with_options scope: :user, score: 0
   condition(:admin) { @user&.admin? }
 
+  desc "User is blocked"
+  with_options scope: :user, score: 0
+  condition(:blocked) { @user&.blocked? }
+
   desc "User has access to all private groups & projects"
   with_options scope: :user, score: 0
   condition(:full_private_access) { @user&.full_private_access? }
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index e85397422e6..134de1c9ace 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -1,10 +1,6 @@
 # frozen_string_literal: true
 
 class GlobalPolicy < BasePolicy
-  desc "User is blocked"
-  with_options scope: :user, score: 0
-  condition(:blocked) { @user&.blocked? }
-
   desc "User is an internal user"
   with_options scope: :user, score: 0
   condition(:internal) { @user&.internal? }
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3218c04b219..35b9bf2d6a3 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -445,6 +445,10 @@ class ProjectPolicy < BasePolicy
     prevent :owner_access
   end
 
+  rule { blocked }.policy do
+    prevent :create_pipeline
+  end
+
   private
 
   def team_member?