Prevent certain policies at issue level when namespace is read only

app/models/issue.rb

@@ -30,6 +30,8 @@ class Issue < ApplicationRecord
   SORTING_PREFERENCE_FIELD = :issues_sort
 
   belongs_to :project
+  has_one :namespace, through: :project
+
   belongs_to :duplicated_to, class_name: 'Issue'
   belongs_to :closed_by, class_name: 'User'
   belongs_to :iteration, foreign_key: 'sprint_id'

app/policies/issue_policy.rb

@@ -40,3 +40,5 @@ class IssuePolicy < IssuablePolicy
     prevent :destroy_design
   end
 end
+
+IssuePolicy.prepend_if_ee('EE::IssuePolicy')

ee/app/policies/ee/issue_policy.rb

+# frozen_string_literal: true
+
+module EE
+  module IssuePolicy
+    extend ActiveSupport::Concern
+
+    prepended do
+      condition(:over_storage_limit, scope: :subject) { @subject.namespace.over_storage_limit? }
+
+      rule { over_storage_limit }.policy do
+        prevent :create_issue
+        prevent :update_issue
+        prevent :read_issue_iid
+        prevent :reopen_issue
+        prevent :create_design
+        prevent :create_note
+      end
+    end
+  end
+end

ee/spec/policies/issue_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe IssuePolicy do
+  let(:owner) { build_stubbed(:user) }
+  let(:namespace) { build_stubbed(:namespace, owner: owner) }
+  let(:project) { build_stubbed(:project, namespace: namespace) }
+  let(:issue) { build_stubbed(:issue, project: project) }
+
+  subject { described_class.new(owner, issue) }
+
+  before do
+    allow(issue).to receive(:namespace).and_return namespace
+    allow(project).to receive(:design_management_enabled?).and_return true
+  end
+
+  context 'when namespace is locked because storage usage limit exceeded' do
+    before do
+      allow(namespace).to receive(:over_storage_limit?).and_return true
+    end
+
+    it { is_expected.to be_disallowed(:create_issue, :update_issue, :read_issue_iid, :reopen_issue, :create_design, :create_note) }
+  end
+
+  context 'when namespace is not locked because storage usage limit not exceeded' do
+    before do
+      allow(namespace).to receive(:over_storage_limit?).and_return false
+    end
+
+    it { is_expected.to be_allowed(:create_issue, :update_issue, :read_issue_iid, :reopen_issue, :create_design, :create_note) }
+  end
+end

spec/lib/gitlab/import_export/all_models.yml

@@ -46,6 +46,7 @@ issues:
 - system_note_metadata
 - alert_management_alert
 - status_page_published_incident
+- namespace
 events:
 - author
 - project

spec/models/issue_spec.rb

@@ -11,6 +11,7 @@ RSpec.describe Issue do
     it { is_expected.to belong_to(:milestone) }
     it { is_expected.to belong_to(:iteration) }
     it { is_expected.to belong_to(:project) }
+    it { is_expected.to have_one(:namespace).through(:project) }
     it { is_expected.to belong_to(:moved_to).class_name('Issue') }
     it { is_expected.to have_one(:moved_from).class_name('Issue') }
     it { is_expected.to belong_to(:duplicated_to).class_name('Issue') }

spec/policies/issue_policy_spec.rb

@@ -104,7 +104,7 @@ RSpec.describe IssuePolicy do
       end
 
       it 'does not allow issue author to read or update confidential issue moved to an private project' do
-        confidential_issue.project = build(:project, :private)
+        confidential_issue.project = create(:project, :private)
 
         expect(permissions(author, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
       end
@@ -117,7 +117,7 @@ RSpec.describe IssuePolicy do
       end
 
       it 'does not allow issue assignees to read or update confidential issue moved to an private project' do
-        confidential_issue.project = build(:project, :private)
+        confidential_issue.project = create(:project, :private)
 
         expect(permissions(assignee, confidential_issue)).to be_disallowed(:read_issue, :read_issue_iid, :update_issue)
       end