re-allow auditor to write when they are a team member

app/policies/ee/project_policy.rb

@@ -59,7 +59,9 @@ module EE
         enable :read_environment
         enable :read_deployment
         enable :read_pages
+      end
 
+      rule { auditor & ~guest }.policy do
         prevent :create_project
         prevent :create_issue
         prevent :create_note

spec/policies/project_policy_spec.rb

@@ -242,12 +242,28 @@ describe ProjectPolicy, models: true do
     context 'auditor' do
       let(:current_user) { auditor }
 
-      it do
-        is_expected.to be_disallowed(*developer_permissions)
-        is_expected.to be_disallowed(*master_permissions)
-        is_expected.to be_disallowed(*owner_permissions)
-        is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
-        is_expected.to be_allowed(*auditor_permissions)
+      context 'not a team member' do
+        it do
+          is_expected.to be_disallowed(*developer_permissions)
+          is_expected.to be_disallowed(*master_permissions)
+          is_expected.to be_disallowed(*owner_permissions)
+          is_expected.to be_disallowed(*(guest_permissions - auditor_permissions))
+          is_expected.to be_allowed(*auditor_permissions)
+        end
+      end
+
+      context 'team member' do
+        before do
+          project.team << [auditor, :guest]
+        end
+
+        it do
+          is_expected.to be_disallowed(*developer_permissions)
+          is_expected.to be_disallowed(*master_permissions)
+          is_expected.to be_disallowed(*owner_permissions)
+          is_expected.to be_allowed(*(guest_permissions - auditor_permissions))
+          is_expected.to be_allowed(*auditor_permissions)
+        end
       end
     end
   end