3 files changed, 25 insertions, 7 deletions

diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index a46c1304667..06ce01095ea 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -169,7 +169,7 @@ module Ci
 
       Ability.allowed?(user, :create_pipeline, project) &&
         if repo.ref_exists?("#{Gitlab::Git::BRANCH_REF_PREFIX}#{ref}")
-          access.can_merge_to_branch?(ref)
+          access.can_push_or_merge_to_branch?(ref)
         elsif repo.ref_exists?("#{Gitlab::Git::TAG_REF_PREFIX}#{ref}")
           access.can_create_tag?(ref)
         else
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 2d7405dc240..85245528602 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -11,19 +11,20 @@ module Ci
         cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
       end
 
-      if can?(:update_build) && protected_action?
+      if can?(:update_build) && !can_user_update?
         cannot! :update_build
       end
     end
 
     private
 
-    def protected_action?
-      return false unless build.action?
+    def can_user_update?
+      user_access.can_push_or_merge_to_branch?(build.ref)
+    end
 
-      !::Gitlab::UserAccess
+    def user_access
+      @user_access ||= ::Gitlab::UserAccess
         .new(user, project: build.project)
-        .can_merge_to_branch?(build.ref)
     end
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 10aa2d3e72a..e71cc358353 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,7 +1,24 @@
 module Ci
   class PipelinePolicy < BasePolicy
+    alias_method :pipeline, :subject
+
     def rules
-      delegate! @subject.project
+      delegate! pipeline.project
+
+      if can?(:update_pipeline) && !can_user_update?
+        cannot! :update_pipeline
+      end
+    end
+
+    private
+
+    def can_user_update?
+      user_access.can_push_or_merge_to_branch?(pipeline.ref)
+    end
+
+    def user_access
+      @user_access ||= ::Gitlab::UserAccess
+        .new(user, project: pipeline.project)
     end
   end
 end