Allowed to push not working correctly

Summary

The 'Allow to push' setting for a protected branch doesn't work correctly. It allow every maintainer (or maybe every one who has 'Allow to merge') to push, if the select field is set to Role: No one, and 1 User
If it is only set to 'No one' it works -> no one can push. If only to the user same behaviour, every maintainer can push.

Tested on 13.0.6-ee and 13.1.3-ee

Steps to reproduce

  1. create a protected branch
  2. set 'Allow to push' to Role 'No one' and one user
  3. push

Example Project

not possible, since I don't have a User in the 'Allow to push' select

What is the current bug behavior?

Every maintainer can push (maintainer are allowed to merge) - other user cannot.

What is the expected correct behavior?

Only the selected User can push

Results of GitLab environment info

Expand for output related to GitLab environment info 
System information
System:
Proxy:          no
Current User:   git
Using RVM:      no
Ruby Version:   2.6.6p146
Gem Version:    3.0.6
Bundler Version:1.17.3
Rake Version:   12.3.3
Redis Version:  5.0.8
Git Version:    2.26.2
Sidekiq Version:5.2.7
Go Version:     go1.14.2 linux/amd64

GitLab information
Version:        13.1.3-ee
Revision:       68484131370
Directory:      /srv/git/gitlab
DB Adapter:     PostgreSQL
DB Version:     12.2
URL:            https://***.de
HTTP Clone URL: https://***.de/some-group/some-project.git
SSH Clone URL:  ***.de:some-group/some-project.git
Elasticsearch:  no
Geo:            no
Using LDAP:     no
Using Omniauth: yes
Omniauth Providers:

GitLab Shell
Version:        13.3.0
Repository storage paths:
- default:      /srv/git/repositories
GitLab Shell path:              /srv/git/gitlab-shell
Git:            /usr/bin/git

Results of GitLab application Check

Expand for output related to the GitLab application check 
Checking GitLab subtasks ...

Checking GitLab Shell ...


GitLab Shell: ... GitLab Shell version >= 13.3.0 ? ... OK (13.3.0)
Running /srv/git/gitlab-shell/bin/check
Internal API available: OK
Redis available via internal API: OK
gitlab-shell self-check successful


Checking GitLab Shell ... Finished


Checking Gitaly ...


Gitaly: ... default ... OK


Checking Gitaly ... Finished


Checking Sidekiq ...


Sidekiq: ... Running? ... yes
Number of Sidekiq processes ... 1


Checking Sidekiq ... Finished


Checking Incoming Email ...


Incoming Email: ... Reply by email is disabled in config/gitlab.yml


Checking Incoming Email ... Finished


Checking LDAP ...


LDAP: ... LDAP is disabled in config/gitlab.yml


Checking LDAP ... Finished


Checking GitLab App ...


Git configured correctly? ... yes
Database config exists? ... yes
All migrations up? ... yes
Database contains orphaned GroupMembers? ... no
GitLab config exists? ... yes
GitLab config up to date? ... yes
Log directory writable? ... yes
Tmp directory writable? ... yes
Uploads directory exists? ... yes
Uploads directory has correct permissions? ... yes
Uploads directory tmp has correct permissions? ... yes
Init script exists? ... yes
Init script up-to-date? ... no
Projects have namespace: ...
20/6 ... yes
20/8 ... yes
23/9 ... yes
23/11 ... yes
20/12 ... yes
21/13 ... yes
21/14 ... yes
21/15 ... yes
21/16 ... yes
21/17 ... yes
31/18 ... yes
20/19 ... yes
8/20 ... yes
20/23 ... yes
31/24 ... yes
40/25 ... yes
20/26 ... yes
21/27 ... yes
31/28 ... yes
40/29 ... yes
6/30 ... yes
23/31 ... yes
15/32 ... yes
23/34 ... yes
44/35 ... yes
44/36 ... yes
Redis version >= 4.0.0? ... yes
Ruby version >= 2.5.3 ? ... yes (2.6.6)
Git version >= 2.22.0 ? ... yes (2.26.2)
Git user has default SSH configuration? ... no
Active users: ... 17
Is authorized keys file accessible? ... yes
GitLab configured to store new projects in hashed storage? ... yes
All projects are in hashed storage? ... yes
Elasticsearch version 5.6 - 6.x? ... skipped (elasticsearch is disabled)


Checking GitLab App ... Finished


Checking GitLab subtasks ... Finished