prevent auditors from creating issues and notes

app/policies/ee/project_policy.rb

@@ -59,6 +59,11 @@ module EE
         enable :read_environment
         enable :read_deployment
         enable :read_pages
+
+        prevent :create_project
+        prevent :create_issue
+        prevent :create_note
+        prevent :upload_file
       end
 
       rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches

spec/policies/project_policy_spec.rb

@@ -246,6 +246,7 @@ describe ProjectPolicy, models: true do
         is_expected.to be_disallowed(*developer_permissions)
         is_expected.to be_disallowed(*master_permissions)
         is_expected.to be_disallowed(*owner_permissions)
+        is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
         is_expected.to be_allowed(*auditor_permissions)
       end
     end