Remove project bot policy

I was suggested to add a policy to check project token log in ability,
but that's breaking things with container pulling, so removing policy
code and doing more explicit permission checks instead.

app/policies/project_policy.rb

@@ -135,10 +135,6 @@ class ProjectPolicy < BasePolicy
     ::Feature.enabled?(:build_service_proxy, @subject)
   end
 
-  condition(:project_bot_is_member) do
-    user.project_bot? & team_member?
-  end
-
   with_scope :subject
   condition(:packages_disabled) { !@subject.packages_enabled }
 
@@ -619,8 +615,6 @@ class ProjectPolicy < BasePolicy
     enable :admin_resource_access_tokens
   end
 
-  rule { project_bot_is_member & ~blocked }.enable :bot_log_in
-
   private
 
   def user_is_user?

lib/gitlab/auth.rb

@@ -198,7 +198,9 @@ module Gitlab
 
         return unless valid_scoped_token?(token, all_available_scopes)
 
-        if token.user.can?(:log_in) || token.user.can?(:bot_log_in, project)
+        return if project && token.user.project_bot? && !project.bots.include?(token.user)
+
+        if token.user.can?(:log_in) || token.user.project_bot?
           Gitlab::Auth::Result.new(token.user, nil, :personal_access_token, abilities_for_scopes(token.scopes))
         end
       end
@@ -283,7 +285,7 @@ module Gitlab
         return unless build.project.builds_enabled?
 
         if build.user
-          return unless build.user.can?(:log_in) || build.user.can?(:bot_log_in, build.project)
+          return unless build.user.can?(:log_in) || (build.user.project_bot? && build.project.bots&.include?(build.user))
 
           # If user is assigned to build, use restricted credentials of user
           Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)

spec/policies/project_policy_spec.rb

@@ -401,40 +401,6 @@ RSpec.describe ProjectPolicy do
     end
   end
 
-  describe 'bot_log_in' do
-    let(:bot_user) { create(:user, :project_bot) }
-    let(:project) { private_project }
-
-    context 'when bot is in project and is not blocked' do
-      before do
-        project.add_maintainer(bot_user)
-      end
-
-      it 'is a valid project bot' do
-        expect(bot_user.can?(:bot_log_in, project)).to be_truthy
-      end
-    end
-
-    context 'when project bot is invalid' do
-      context 'when bot is not in project' do
-        it 'is not a valid project bot' do
-          expect(bot_user.can?(:bot_log_in, project)).to be_falsy
-        end
-      end
-
-      context 'when bot user is blocked' do
-        before do
-          project.add_maintainer(bot_user)
-          bot_user.block!
-        end
-
-        it 'is not a valid project bot' do
-          expect(bot_user.can?(:bot_log_in, project)).to be_falsy
-        end
-      end
-    end
-  end
-
   context 'support bot' do
     let(:current_user) { User.support_bot }