Consolidate permission checks for Code Suggestions

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Collaborate/take over this issue

The following discussion from !200349 (merged) should be addressed:

@mkaeppler started a discussion:
self-review: Not related to this MR, but I think this check is either not working as intended or at least duplicating access checks.

We already test user.can?(:access_code_suggestions) in a before handler, which internally performs the following checks:
```
      condition(:code_suggestions_enabled_for_user) do
        next false unless @user
        next true if @user.allowed_to_use?(:code_suggestions)

        if ::Ai::FeatureSetting.code_suggestions_self_hosted?
          next @user.allowed_to_use?(:code_suggestions, service_name: :self_hosted_models)
        end

        false
      end
```
https://gitlab.com/gitlab-org/gitlab/-/blob/7566b6ce087375894a97ad64351ec553bff55fb6/ee/app/policies/ee/global_policy.rb#L56

We should remove this here and use / amend the code in global_policy to carry out all necessary checks if it doesn't already do so.

Moreover, we repeat some of the logic in this controller in CodeSuggestionsClient.

We should ensure we have a single permission and access model in place for Code Suggestions. We should aim to keep controllers free of business and access logic.

Edited Nov 18, 2025 by 🤖 GitLab Bot 🤖