Add condition to policies

Alongside specs

ee/app/policies/ee/project_policy.rb

@@ -210,6 +210,8 @@ module EE
 
       rule { owner | reporter }.enable :build_read_project
 
+      rule { owner & owner_cannot_destroy_project }.prevent :remove_project
+
       rule { archived }.policy do
         READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
           prevent(*::ProjectPolicy.create_update_admin_destroy(feature))
@@ -228,6 +230,11 @@ module EE
         ::Gitlab::Auth::GroupSaml::SsoEnforcer.group_access_restricted?(subject.group)
       end
 
+      condition(:owner_cannot_destroy_project) do
+        ::Gitlab::CurrentSettings.current_application_settings
+          .default_project_deletion_protection
+      end
+
       rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
 
       # Design abilities could also be prevented in the issue policy.

ee/spec/policies/project_policy_spec.rb

@@ -451,6 +451,25 @@ describe ProjectPolicy do
     end
   end
 
+  describe 'remove_project when default_project_deletion_protection is set to true' do
+    before do
+      allow(Gitlab::CurrentSettings.current_application_settings)
+          .to receive(:default_project_deletion_protection) { true }
+    end
+
+    context 'with admin' do
+      let(:current_user) { admin }
+
+      it { is_expected.to be_allowed(:remove_project) }
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_disallowed(:remove_project) }
+    end
+  end
+
   describe 'read_feature_flag' do
     context 'with admin' do
       let(:current_user) { admin }