diff --git a/app/models/deploy_key.rb b/app/models/deploy_key.rb
index 2c525d4cd7a78062e759c2c36a4b2a058bd8a58d..503398f5cca7d7aa4ad6b85b4f0fcb61f04a4271 100644
--- a/app/models/deploy_key.rb
+++ b/app/models/deploy_key.rb
@@ -20,4 +20,8 @@ class DeployKey < Key
   def destroyed_when_orphaned?
     self.private?
   end
+
+  def can_push_to?(project)
+    can_push? && projects.include?(project)
+  end
 end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 78f562821ea01fb29df484d9241c122fae768e3d..96979398c83574fd058718f91494fcdd6d2918a8 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -89,7 +89,7 @@ module Gitlab
     end
 
     def deploy_key_push_access_check(changes)
-      if deploy_key.can_push?
+      if deploy_key.can_push_to?(project)
         check_repository_existence!
         check_change_access!(changes) if user
       else
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index f1d0a190002b246a5aae7df3da0154f4bf6f4c39..ac5352a9561e67286daf097ef7698e79f65544f0 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -353,13 +353,13 @@ describe Gitlab::GitAccess, lib: true do
     end
   end
 
-  shared_examples 'can not push code' do
+  shared_examples 'pushing code' do |can|
     subject { access.check('git-receive-pack', '_any') }
 
     context 'when project is authorized' do
       before { authorize }
 
-      it { expect(subject).not_to be_allowed }
+      it { expect(subject).public_send(can, be_allowed) }
     end
 
     context 'when unauthorized' do
@@ -383,10 +383,20 @@ describe Gitlab::GitAccess, lib: true do
     end
   end
 
+  describe 'full authentication abilities' do
+    let(:authentication_abilities) { full_authentication_abilities }
+
+    it_behaves_like 'pushing code', :to do
+      def authorize
+        project.team << [user, :developer]
+      end
+    end
+  end
+
   describe 'build authentication abilities' do
     let(:authentication_abilities) { build_authentication_abilities }
 
-    it_behaves_like 'can not push code' do
+    it_behaves_like 'pushing code', :not_to do
       def authorize
         project.team << [user, :reporter]
       end
@@ -394,12 +404,26 @@ describe Gitlab::GitAccess, lib: true do
   end
 
   describe 'deploy key permissions' do
-    let(:key) { create(:deploy_key) }
+    let(:key) { create(:deploy_key, can_push: can_push) }
     let(:actor) { key }
 
-    it_behaves_like 'can not push code' do
-      def authorize
-        key.projects << project
+    context 'when deploy_key can push' do
+      let(:can_push) { true }
+
+      it_behaves_like 'pushing code', :to do
+        def authorize
+          key.projects << project
+        end
+      end
+    end
+
+    context 'when deploy_key cannot push' do
+      let(:can_push) { false }
+
+      it_behaves_like 'pushing code', :not_to do
+        def authorize
+          key.projects << project
+        end
       end
     end
   end