Follow-up from "Enable update_(build|pipeline) for maintainers"

The MR gitlab-ce!18735 which fixes permissions check for updating pipelines and builds for maintainers, added an additional query for each pipeline/build being checked (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18735#note_72977529). If possible, it would be nice to refactor the check to minimize number of queries when checking permission for each pipeline.

I think that also create_pipeline/create_build permission check should not be done on project but on the specific pipeline's/build's branch (same as update checks), this will require further updates of this policy check in code.

/cc @DouweM @reprazent