Disallow project forking policy for anonymous user

app/policies/project_policy.rb

@@ -241,7 +241,7 @@ class ProjectPolicy < BasePolicy
     enable :request_access
   end
 
-  rule { can?(:download_code) & forking_allowed }.policy do
+  rule { (can?(:public_user_access) | can?(:reporter_access)) & forking_allowed }.policy do
     enable :fork_project
   end
 

spec/policies/project_policy_spec.rb

@@ -508,6 +508,34 @@ describe ProjectPolicy do
     end
   end
 
+  context 'forking a project' do
+    subject { described_class.new(current_user, project) }
+
+    context 'anonymous user' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:fork_project) }
+    end
+
+    context 'project member' do
+      let_it_be(:project) { create(:project, :private) }
+
+      context 'guest' do
+        let(:current_user) { guest }
+
+        it { is_expected.to be_disallowed(:fork_project) }
+      end
+
+      %w(reporter developer maintainer).each do |role|
+        context role do
+          let(:current_user) { send(role) }
+
+          it { is_expected.to be_allowed(:fork_project) }
+        end
+      end
+    end
+  end
+
   describe 'update_max_artifacts_size' do
     subject { described_class.new(current_user, project) }