diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index 7e1922260eade015d08037bffe947ab3a3fce9ba..ddccd2d9eb3552c6a1a0cdc507e69e156ce93aa6 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -67,6 +67,43 @@ describe Gitlab::GitAccess, lib: true do
     end
   end
 
+  describe '#check with single protocols allowed' do
+    def disable_protocol(protocol)
+      settings = ::ApplicationSetting.create_from_defaults
+      settings.update_attribute(:enabled_git_access_protocols, protocol)
+    end
+
+    context 'ssh disabled' do
+      before do
+        disable_protocol('ssh')
+        @acc = Gitlab::GitAccess.new(actor, project, 'ssh')
+      end
+
+      it 'blocks ssh git push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks ssh git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+
+    context 'http disabled' do
+      before do
+        disable_protocol('http')
+        @acc = Gitlab::GitAccess.new(actor, project, 'http')
+      end
+
+      it 'blocks http push' do
+        expect(@acc.check('git-receive-pack').allowed?).to be_falsey
+      end
+
+      it 'blocks http git pull' do
+        expect(@acc.check('git-upload-pack').allowed?).to be_falsey
+      end
+    end
+  end
+
   describe 'download_access_check' do
     describe 'master permissions' do
       before { project.team << [user, :master] }
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index fcea45f19bad486070cd0f8ea58e64d5075859e4..1f49cdad044df85d9aee65bb87a13b7543b48f71 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -207,26 +207,86 @@ describe API::API, api: true  do
         expect(json_response["status"]).to be_falsey
       end
     end
+
+    context 'ssh access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'http')
+      end
+
+      it 'rejects the SSH push' do
+        push(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+
+      it 'rejects the SSH pull' do
+        pull(key, project)
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over SSH is not allowed'
+      end
+    end
+
+    context 'http access has been disabled' do
+      before do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'ssh')
+      end
+
+      it 'rejects the HTTP push' do
+        push(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+
+      it 'rejects the HTTP pull' do
+        pull(key, project, 'http')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_falsey
+        expect(json_response['message']).to eq 'Git access over HTTP is not allowed'
+      end
+    end
+
+    context 'web actions are always allowed' do
+      it 'allows WEB push' do
+        settings = ::ApplicationSetting.create_from_defaults
+        settings.update_attribute(:enabled_git_access_protocols, 'ssh')
+        project.team << [user, :developer]
+        push(key, project, 'web')
+
+        expect(response.status).to eq(200)
+        expect(json_response['status']).to be_truthy
+      end
+    end
   end
 
-  def pull(key, project)
+  def pull(key, project, protocol = 'ssh')
     post(
       api("/internal/allowed"),
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-upload-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
     )
   end
 
-  def push(key, project)
+  def push(key, project, protocol = 'ssh')
     post(
       api("/internal/allowed"),
       changes: 'd14d6c0abdd253381df51a723d58691b2ee1ab08 570e7b2abdd848b95f2f578043fc23bd6f6fd24d refs/heads/master',
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-receive-pack',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: protocol
     )
   end
 
@@ -237,7 +297,8 @@ describe API::API, api: true  do
       key_id: key.id,
       project: project.path_with_namespace,
       action: 'git-upload-archive',
-      secret_token: secret_token
+      secret_token: secret_token,
+      protocol: 'ssh'
     )
   end
 end