1.7.6 changelog (#6596)

Signed-off-by: jolheiser <john.olheiser@gmail.com>

.drone.yml

@@ -82,7 +82,7 @@ pipeline:
     when:
       event: [ push, tag, pull_request ]
 
-  test:
+  unit-test:
     image: golang:1.11
     pull: true
     group: test
@@ -94,7 +94,7 @@ pipeline:
       event: [ push, pull_request ]
       branch: [ master ]
 
-  test:
+  release-test:
     image: golang:1.11
     pull: true
     group: test
@@ -106,7 +106,7 @@ pipeline:
       event: [ push, pull_request ]
       branch: [ release/* ]
 
-  test:
+  tag-test:
     image: golang:1.11
     pull: true
     group: test
@@ -146,7 +146,7 @@ pipeline:
       event: [ push, pull_request ]
       branch: [ master ]
 
-  test-mysql:
+  tag-test-mysql:
     image: golang:1.11
     pull: true
     group: test
@@ -211,7 +211,7 @@ pipeline:
       branch: [ master ]
 
   static:
-    image: karalabe/xgo-latest:latest
+    image: techknowlogick/xgo:latest
     pull: true
     environment:
       TAGS: bindata sqlite sqlite_unlock_notify
@@ -240,12 +240,13 @@ pipeline:
       event: [ push ]
       branch: [ master ]
 
-  docker:
+  release-docker:
     image: plugins/docker:17.12
     pull: true
     secrets: [ docker_username, docker_password ]
     repo: gitea/gitea
     tags: [ '${DRONE_BRANCH##release/v}' ]
+    cache_from: gitea/gitea
     when:
       event: [ push ]
       branch: [ release/* ]
@@ -255,6 +256,7 @@ pipeline:
     secrets: [ docker_username, docker_password ]
     pull: true
     repo: gitea/gitea
+    cache_from: gitea/gitea
     default_tags: true
     when:
       event: [ push, tag ]
@@ -271,7 +273,7 @@ pipeline:
     when:
       event: [ push, tag ]
 
-  release:
+  tag-release:
     image: plugins/s3:1
     pull: true
     secrets: [ aws_access_key_id, aws_secret_access_key ]
@@ -285,7 +287,7 @@ pipeline:
     when:
       event: [ tag ]
 
-  release:
+  release-branch-release:
     image: plugins/s3:1
     pull: true
     secrets: [ aws_access_key_id, aws_secret_access_key ]

CHANGELOG.md

@@ -4,7 +4,83 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
-## [1.7.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-02
+## [1.7.6](https://github.com/go-gitea/gitea/releases/tag/v1.7.6) - 2019-04-12
+* SECURITY
+  * Prevent remote code execution vulnerability with mirror repo URL settings (#6593) (#6595)
+* BUGFIXES
+  * Allow resend of confirmation email when logged in (#6482) (#6487)
+
+## [1.7.5](https://github.com/go-gitea/gitea/releases/tag/v1.7.5) - 2019-03-27
+* BUGFIXES
+  * Fix unitTypeCode not being used in accessLevelUnit (#6419) (#6423)
+  * Fix bug where manifest.json was being requested without cookies and continuously creating new sessions (#6372) (#6383) 
+  * Fix ParsePatch function to work with quoted diff --git strings (#6323) (#6332)
+
+## [1.7.4](https://github.com/go-gitea/gitea/releases/tag/v1.7.4) - 2019-03-12
+* SECURITY
+  * Fix potential XSS vulnerability in repository description. (#6306) (#6308)
+* BUGFIXES
+  * Fix wrong release commit id (#6224) (#6300)
+  * Fix panic on empty signed commits (#6292) (#6300)
+  * Fix organization dropdown not being scrollable when using mouse wheel (#5988) (#6246)
+  * Fix displaying dashboard even if required to change password (#6214) (#6215)
+
+## [1.7.3](https://github.com/go-gitea/gitea/releases/tag/v1.7.3) - 2019-02-27
+* BUGFIXES
+  * Fix server 500 when trying to migrate to an already existing repository (#6188) (#6197)
+  * Load Issue attributes for API /repos/{owner}/{repo}/issues/{index} (#6122) (#6185)
+  * Fix bug whereby user could change private repository to public when force private enabled. (#6156) (#6165)
+  * Fix bug when update owner team then visit team's repo return 404 (#6119) (#6166)
+  * Fix heatmap and repository menu display in Internet Explorer 9+ (#6117) (#6137)
+  * Fix prohibit login check on authorization (#6106) (#6115)
+  * Fix LDAP protocol error regression by moving to ldap.v3 (#6105) (#6107)
+  * Fix deadlock in webhook PullRequest (#6102) (#6104)
+  * Fix redirect loop when password change is required and Gitea is installed as a suburl (#5965) (#6101)
+  * Fix compare button regression (#5929) (#6098)
+  * Recover panic in orgmode.Render if bad orgfile (#4982) (#5903) (#6097)
+
+## [1.7.2](https://github.com/go-gitea/gitea/releases/tag/v1.7.2) - 2019-02-14
+* BUGFIXES
+  * Remove all CommitStatus when a repo is deleted (#5940) (#5941)
+  * Fix notifications on pushing with deploy keys by setting hook environment variables (#5935) (#5944)
+  * Silence console logger in gitea serv (#5887) (#5943)
+  * Handle milestone webhook events for issues and PR (#5947) (#5955)
+  * Show user who created the repository instead of the organization in action feed (#5948) (#5956)
+  * Fix ssh deploy and user key constraints (#1357) (#5939) (#5966)
+  * Fix bug when deleting a linked account will removed all (#5989) (#5990)
+  * Fix empty ssh key importing in ldap (#5984) (#6009)
+  * Fix metrics auth token detection (#6006) (#6017)
+  * Create repository on organisation by default on its dashboard (#6026) (#6048)
+  * Make sure labels are actually returned in API (#6053) (#6059)
+  * Switch to more recent build of xgo (#6070) (#6072)
+  * In basic auth check for tokens before call UserSignIn (#5725) (#6083)
+
+## [1.7.1](https://github.com/go-gitea/gitea/releases/tag/v1.7.1) - 2019-01-31
+* SECURITY
+  * Disable redirect for i18n (#5910) (#5916)
+  * Only allow local login if password is non-empty (#5906) (#5908)
+  * Fix go-get URL generation (#5905) (#5907)
+* BUGFIXES
+  * Fix TLS errors when using acme/autocert for local connections (#5820) (#5826)
+  * Request for public keys only if LDAP attribute is set (#5816) (#5819)
+  * Fix delete correct temp directory (#5840) (#5839)
+  * Fix an error while adding a dependency via UI (#5862) (#5876)
+  * Fix null pointer in attempt to Sudo if not logged in (#5872) (#5884)
+  * When creating new repository fsck option should be enabled (#5817) (#5885)
+  * Prevent nil dereference in mailIssueCommentToParticipants (#5891) (#5895) (#5894)
+  * Fix bug when read public repo lfs file (#5913) (#5912)
+  * Respect value of REQUIRE_SIGNIN_VIEW (#5901) (#5915)
+  * Fix compare button on upstream repo leading to 404 (#5877) (#5914)
+* DOCS
+  * Added docs for the tree api (#5835)
+* MISC
+  * Include Go toolchain to --version (#5832) (#5830)
+
+## [1.7.0](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-22
+* SECURITY
+  * Do not display the raw OpenID error in the UI (#5705) (#5712)
+  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5679)
+  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
 * BREAKING
   * Restrict permission check on repositories and fix some problems (#5314)
   * Show only opened milestones on issues page milestone filter (#5051)
@@ -23,6 +99,13 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
   * Give user a link to create PR after push (#4716)
   * Add rebase with merge commit merge style (#3844) (#4052)
 * BUGFIXES
+  * Disallow empty titles (#5785) (#5794)
+  * Fix sqlite deadlock when assigning to a PR (#5640) (#5642)
+  * Don't close issues via commits on non-default branch. (#5622) (#5643)
+  * Fix commit page showing status for current default branch (#5650) (#5653)
+  * Only count users own actions for heatmap contributions (#5647) (#5655)
+  * Update xorm to fix issue postgresql dumping issues (#5680) (#5692)
+  * Use correct value for "MSpan Structures Obtained" (#5706) (#5716)
   * Fix bug on modifying sshd username (#5624)
   * Delete tags in mirror which are removed for original repo. (#5609)
   * Fix wrong text getting saved on editing second comment on an issue. (#5608)
@@ -149,6 +232,18 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
   * Git-Trees API (#5403)
   * Only chown directories during docker setup if necessary. Fix #4425 (#5064)
 
+## [1.6.4](https://github.com/go-gitea/gitea/releases/tag/v1.6.4) - 2019-01-15
+* BUGFIX
+  * Fix SSH key now can be reused as public key after deleting as deploy key (#5671) (#5685)
+  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5703)
+  * Fix to use correct value for "MSpan Structures Obtained" (#5706) (#5715)
+
+## [1.6.3](https://github.com/go-gitea/gitea/releases/tag/v1.6.3) - 2019-01-04
+* SECURITY
+  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
+* BUGFIX
+  * Fix wrong text getting saved on editing second comment on an issue (#5608)
+
 ## [1.6.2](https://github.com/go-gitea/gitea/releases/tag/v1.6.2) - 2018-12-21
 * SECURITY
   * Sanitize uploaded file names (#5571) (#5573)

Gopkg.lock

@@ -3,11 +3,11 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:ab875622908a804a327a95a1701002b150806a3c5406df51ec231eac16d3a1ca"
+  digest = "1:e1fa64238b0a2dbf1edf98c4af8d1b8cb65179e286d7f28006b50fa9f508ee9d"
   name = "code.gitea.io/git"
   packages = ["."]
   pruneopts = "NUT"
-  revision = "389d3c803e12a30dffcbb54a15c2242521bc4333"
+  revision = "74d7c14dd4a3ed9c5def0dc3c1aeede399ddc5c5"
 
 [[projects]]
   branch = "master"
@@ -406,11 +406,11 @@
   version = "v0.6.0"
 
 [[projects]]
-  digest = "1:931a62a1aacc37a5e4c309a111642ec4da47b4dc453cd4ba5481b12eedb04a5d"
+  digest = "1:d366480c27ab51b3f7e995f25503063e7a6ebc7feb269df2499c33471f35cd62"
   name = "github.com/go-xorm/xorm"
   packages = ["."]
   pruneopts = "NUT"
-  revision = "401f4ee8ff8cbc40a4754cb12192fbe4f02f3979"
+  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"
 
 [[projects]]
   branch = "master"
@@ -666,6 +666,14 @@
   pruneopts = "NUT"
   revision = "02ccfbfaf0cc627aa3aec8ef7ed5cfeec5b43f63"
 
+[[projects]]
+  digest = "1:63953ffb90bbc880c612d576fcfd973a5904277d25ec9e2d8d5719bf67969662"
+  name = "github.com/mvdan/xurls"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "e52e821cbfe8fe163ff6f8628ab5869b11fc05af"
+  version = "v2.0.0"
+
 [[projects]]
   digest = "1:2be1d891535ce3d6d2a3db9087f07415e909744e9eff1a30f8f0b2519df60ae6"
   name = "github.com/nfnt/resize"
@@ -1005,12 +1013,12 @@
   version = "v1.31.1"
 
 [[projects]]
-  digest = "1:01f4ac37c52bda6f7e1bd73680a99f88733c0408aaa159ecb1ba53a1ade9423c"
-  name = "gopkg.in/ldap.v2"
+  digest = "1:8a502dedecf5b6d56e36f0d0e6196392baf616634af2c23108b6e8bb89ec57fc"
+  name = "gopkg.in/ldap.v3"
   packages = ["."]
   pruneopts = "NUT"
-  revision = "d0a5ced67b4dc310b9158d63a2c6f9c5ec13f105"
-  version = "v2.4.1"
+  revision = "214f299a0ecb2a6c6f6d2b0f13977032b207dc58"
+  version = "v3.0.1"
 
 [[projects]]
   digest = "1:cfe1730a152ff033ad7d9c115d22e36b19eec6d5928c06146b9119be45d39dc0"
@@ -1190,6 +1198,7 @@
     "github.com/mcuadros/go-version",
     "github.com/microcosm-cc/bluemonday",
     "github.com/msteinert/pam",
+    "github.com/mvdan/xurls",
     "github.com/nfnt/resize",
     "github.com/pquerna/otp",
     "github.com/pquerna/otp/totp",
@@ -1214,7 +1223,7 @@
     "gopkg.in/editorconfig/editorconfig-core-go.v1",
     "gopkg.in/gomail.v2",
     "gopkg.in/ini.v1",
-    "gopkg.in/ldap.v2",
+    "gopkg.in/ldap.v3",
     "gopkg.in/macaron.v1",
     "gopkg.in/testfixtures.v2",
     "strk.kbt.io/projects/go/libravatar",

Gopkg.toml

@@ -38,7 +38,7 @@ ignored = ["google.golang.org/appengine*"]
 
 [[override]]
   name = "github.com/go-xorm/xorm"
-  revision = "401f4ee8ff8cbc40a4754cb12192fbe4f02f3979"
+  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"
 
 [[override]]
   name = "github.com/go-xorm/builder"
@@ -97,8 +97,8 @@ ignored = ["google.golang.org/appengine*"]
   version = "1.31.1"
 
 [[constraint]]
-  name = "gopkg.in/ldap.v2"
-  version = "2.4.1"
+  name = "gopkg.in/ldap.v3"
+  version = "3.0.1"
 
 [[constraint]]
   name = "gopkg.in/macaron.v1"

cmd/cmd.go

@@ -9,10 +9,11 @@ package cmd
 import (
 	"errors"
 	"fmt"
-	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+
 	"github.com/urfave/cli"
 )
 
@@ -24,7 +25,7 @@ func argsSet(c *cli.Context, args ...string) error {
 			return errors.New(a + " is not set")
 		}
 
-		if len(strings.TrimSpace(c.String(a))) == 0 {
+		if util.IsEmptyString(a) {
 			return errors.New(a + " is required")
 		}
 	}

cmd/serv.go

@@ -70,6 +70,7 @@ func checkLFSVersion() {
 }
 
 func setup(logPath string) {
+	log.DelLogger("console")
 	setting.NewContext()
 	checkLFSVersion()
 	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
@@ -233,23 +234,30 @@ func runServ(c *cli.Context) error {
 
 		// Check deploy key or user key.
 		if key.Type == models.KeyTypeDeploy {
-			if key.Mode < requestedMode {
-				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
-			}
-
-			// Check if this deploy key belongs to current repository.
-			has, err := private.HasDeployKey(key.ID, repo.ID)
+			// Now we have to get the deploy key for this repo
+			deployKey, err := private.GetDeployKey(key.ID, repo.ID)
 			if err != nil {
 				fail("Key access denied", "Failed to access internal api: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
 			}
-			if !has {
+
+			if deployKey == nil {
 				fail("Key access denied", "Deploy key access denied: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
 			}
 
+			if deployKey.Mode < requestedMode {
+				fail("Key permission denied", "Cannot push with read-only deployment key: %d to repo_id: %d", key.ID, repo.ID)
+			}
+
 			// Update deploy key activity.
 			if err = private.UpdateDeployKeyUpdated(key.ID, repo.ID); err != nil {
 				fail("Internal error", "UpdateDeployKey: %v", err)
 			}
+
+			// FIXME: Deploy keys aren't really the owner of the repo pushing changes
+			// however we don't have good way of representing deploy keys in hook.go
+			// so for now use the owner
+			os.Setenv(models.EnvPusherName, username)
+			os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
 		} else {
 			user, err = private.GetUserByKeyID(key.ID)
 			if err != nil {

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -122,9 +122,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
 - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
-- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
-   on another (https) port.
-- `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
+- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
+- `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
 - `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server).
    By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
 - `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt.

docs/content/doc/usage/https-support.md

@@ -30,8 +30,22 @@ HTTP_PORT = 3000
 CERT_FILE = cert.pem
 KEY_FILE = key.pem
 ```
+
 To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).
 
+### Setting-up HTTP redirection
+
+The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:
+
+```ini
+[server]
+REDIRECT_OTHER_PORT = true
+; Port the redirection service should listen on
+PORT_TO_REDIRECT = 3080
+```
+
+If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.
+
 ## Using Let's Encrypt
 
 [Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.

integrations/api_helper_for_declarative_test.go

@@ -0,0 +1,152 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"testing"
+
+	api "code.gitea.io/sdk/gitea"
+	"github.com/stretchr/testify/assert"
+)
+
+type APITestContext struct {
+	Reponame     string
+	Session      *TestSession
+	Token        string
+	Username     string
+	ExpectedCode int
+}
+
+func NewAPITestContext(t *testing.T, username, reponame string) APITestContext {
+	session := loginUser(t, username)
+	token := getTokenForLoggedInUser(t, session)
+	return APITestContext{
+		Session:  session,
+		Token:    token,
+		Username: username,
+		Reponame: reponame,
+	}
+}
+
+func (ctx APITestContext) GitPath() string {
+	return fmt.Sprintf("%s/%s.git", ctx.Username, ctx.Reponame)
+}
+
+func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
+	return func(t *testing.T) {
+		createRepoOption := &api.CreateRepoOption{
+			AutoInit:    !empty,
+			Description: "Temporary repo",
+			Name:        ctx.Reponame,
+			Private:     true,
+			Gitignores:  "",
+			License:     "WTFPL",
+			Readme:      "Default",
+		}
+		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+ctx.Token, createRepoOption)
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+
+		var repository api.Repository
+		DecodeJSON(t, resp, &repository)
+		if len(callback) > 0 {
+			callback[0](t, repository)
+		}
+	}
+}
+
+func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
+
+		req := NewRequest(t, "GET", urlStr)
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
+
+		var repository api.Repository
+		DecodeJSON(t, resp, &repository)
+		if len(callback) > 0 {
+			callback[0](t, repository)
+		}
+	}
+}
+
+func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
+
+		req := NewRequest(t, "DELETE", urlStr)
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+	}
+}
+
+func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/user/keys?token=%s", ctx.Token)
+
+		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
+		assert.NoError(t, err)
+		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
+			Title: keyname,
+			Key:   string(dataPubKey),
+		})
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
+		var publicKey api.PublicKey
+		DecodeJSON(t, resp, &publicKey)
+		if len(callback) > 0 {
+			callback[0](t, publicKey)
+		}
+	}
+}
+
+func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/user/keys/%d?token=%s", keyID, ctx.Token)
+
+		req := NewRequest(t, "DELETE", urlStr)
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
+	}
+}
+
+func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly bool) func(*testing.T) {
+	return func(t *testing.T) {
+		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
+
+		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
+		assert.NoError(t, err)
+		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateKeyOption{
+			Title:    keyname,
+			Key:      string(dataPubKey),
+			ReadOnly: readOnly,
+		})
+
+		if ctx.ExpectedCode != 0 {
+			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
+			return
+		}
+		ctx.Session.MakeRequest(t, req, http.StatusCreated)
+	}
+}

integrations/git_helper_for_declarative_test.go

@@ -0,0 +1,127 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/url"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/git"
+	"code.gitea.io/gitea/modules/setting"
+	"github.com/Unknwon/com"
+	"github.com/stretchr/testify/assert"
+)
+
+func withKeyFile(t *testing.T, keyname string, callback func(string)) {
+	keyFile := filepath.Join(setting.AppDataPath, keyname)
+	err := exec.Command("ssh-keygen", "-f", keyFile, "-t", "rsa", "-N", "").Run()
+	assert.NoError(t, err)
+
+	//Setup ssh wrapper
+	os.Setenv("GIT_SSH_COMMAND",
+		"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "+
+			filepath.Join(setting.AppWorkPath, keyFile))
+	os.Setenv("GIT_SSH_VARIANT", "ssh")
+
+	callback(keyFile)
+
+	defer os.RemoveAll(keyFile)
+	defer os.RemoveAll(keyFile + ".pub")
+}
+
+func createSSHUrl(gitPath string, u *url.URL) *url.URL {
+	u2 := *u
+	u2.Scheme = "ssh"
+	u2.User = url.User("git")
+	u2.Host = fmt.Sprintf("%s:%d", setting.SSH.ListenHost, setting.SSH.ListenPort)
+	u2.Path = gitPath
+	return &u2
+}
+
+func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL)) {
+	prepareTestEnv(t)
+	s := http.Server{
+		Handler: mac,
+	}
+
+	u, err := url.Parse(setting.AppURL)
+	assert.NoError(t, err)
+	listener, err := net.Listen("tcp", u.Host)
+	assert.NoError(t, err)
+
+	defer func() {
+		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
+		s.Shutdown(ctx)
+		cancel()
+	}()
+
+	go s.Serve(listener)
+	//Started by config go ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
+
+	callback(t, u)
+}
+
+func doGitClone(dstLocalPath string, u *url.URL) func(*testing.T) {
+	return func(t *testing.T) {
+		assert.NoError(t, git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{}))
+		assert.True(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
+	}
+}
+
+func doGitCloneFail(dstLocalPath string, u *url.URL) func(*testing.T) {
+	return func(t *testing.T) {
+		assert.Error(t, git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{}))
+		assert.False(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
+	}
+}
+
+func doGitInitTestRepository(dstPath string) func(*testing.T) {
+	return func(t *testing.T) {
+		// Init repository in dstPath
+		assert.NoError(t, git.InitRepository(dstPath, false))
+		assert.NoError(t, ioutil.WriteFile(filepath.Join(dstPath, "README.md"), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s", dstPath)), 0644))
+		assert.NoError(t, git.AddChanges(dstPath, true))
+		signature := git.Signature{
+			Email: "test@example.com",
+			Name:  "test",
+			When:  time.Now(),
+		}
+		assert.NoError(t, git.CommitChanges(dstPath, git.CommitChangesOptions{
+			Committer: &signature,
+			Author:    &signature,
+			Message:   "Initial Commit",
+		}))
+	}
+}
+
+func doGitAddRemote(dstPath, remoteName string, u *url.URL) func(*testing.T) {
+	return func(t *testing.T) {
+		_, err := git.NewCommand("remote", "add", remoteName, u.String()).RunInDir(dstPath)
+		assert.NoError(t, err)
+	}
+}
+
+func doGitPushTestRepository(dstPath, remoteName, branch string) func(*testing.T) {
+	return func(t *testing.T) {
+		_, err := git.NewCommand("push", "-u", remoteName, branch).RunInDir(dstPath)
+		assert.NoError(t, err)
+	}
+}
+
+func doGitPushTestRepositoryFail(dstPath, remoteName, branch string) func(*testing.T) {
+	return func(t *testing.T) {
+		_, err := git.NewCommand("push", "-u", remoteName, branch).RunInDir(dstPath)
+		assert.Error(t, err)
+	}
+}

integrations/git_test.go

@@ -5,25 +5,17 @@
 package integrations
 
 import (
-	"context"
 	"crypto/rand"
 	"fmt"
 	"io/ioutil"
-	"net"
-	"net/http"
 	"net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
 
 	"code.gitea.io/git"
-	"code.gitea.io/gitea/models"
-	"code.gitea.io/gitea/modules/setting"
-	api "code.gitea.io/sdk/gitea"
 
-	"github.com/Unknwon/com"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -32,160 +24,86 @@ const (
 	bigSize    = 128 * 1024 * 1024 //128Mo
 )
 
-func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL)) {
-	prepareTestEnv(t)
-	s := http.Server{
-		Handler: mac,
-	}
-
-	u, err := url.Parse(setting.AppURL)
-	assert.NoError(t, err)
-	listener, err := net.Listen("tcp", u.Host)
-	assert.NoError(t, err)
-
-	defer func() {
-		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
-		s.Shutdown(ctx)
-		cancel()
-	}()
-
-	go s.Serve(listener)
-	//Started by config go ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
-
-	callback(t, u)
+func TestGit(t *testing.T) {
+	onGiteaRun(t, testGit)
 }
 
-func TestGit(t *testing.T) {
-	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-		u.Path = "user2/repo1.git"
+func testGit(t *testing.T, u *url.URL) {
+	username := "user2"
+	baseAPITestContext := NewAPITestContext(t, username, "repo1")
 
-		t.Run("HTTP", func(t *testing.T) {
-			dstPath, err := ioutil.TempDir("", "repo-tmp-17")
-			assert.NoError(t, err)
-			defer os.RemoveAll(dstPath)
-			t.Run("Standard", func(t *testing.T) {
-				t.Run("CloneNoLogin", func(t *testing.T) {
-					dstLocalPath, err := ioutil.TempDir("", "repo1")
-					assert.NoError(t, err)
-					defer os.RemoveAll(dstLocalPath)
-					err = git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{})
-					assert.NoError(t, err)
-					assert.True(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
-				})
+	u.Path = baseAPITestContext.GitPath()
 
-				t.Run("CreateRepo", func(t *testing.T) {
-					session := loginUser(t, "user2")
-					token := getTokenForLoggedInUser(t, session)
-					req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+token, &api.CreateRepoOption{
-						AutoInit:    true,
-						Description: "Temporary repo",
-						Name:        "repo-tmp-17",
-						Private:     false,
-						Gitignores:  "",
-						License:     "WTFPL",
-						Readme:      "Default",
-					})
-					session.MakeRequest(t, req, http.StatusCreated)
-				})
+	t.Run("HTTP", func(t *testing.T) {
+		httpContext := baseAPITestContext
+		httpContext.Reponame = "repo-tmp-17"
 
-				u.Path = "user2/repo-tmp-17.git"
-				u.User = url.UserPassword("user2", userPassword)
-				t.Run("Clone", func(t *testing.T) {
-					err = git.Clone(u.String(), dstPath, git.CloneRepoOptions{})
-					assert.NoError(t, err)
-					assert.True(t, com.IsExist(filepath.Join(dstPath, "README.md")))
-				})
+		dstPath, err := ioutil.TempDir("", httpContext.Reponame)
+		assert.NoError(t, err)
+		defer os.RemoveAll(dstPath)
+		t.Run("Standard", func(t *testing.T) {
+			ensureAnonymousClone(t, u)
 
-				t.Run("PushCommit", func(t *testing.T) {
-					t.Run("Little", func(t *testing.T) {
-						commitAndPush(t, littleSize, dstPath)
-					})
-					t.Run("Big", func(t *testing.T) {
-						commitAndPush(t, bigSize, dstPath)
-					})
-				})
-			})
-			t.Run("LFS", func(t *testing.T) {
-				t.Run("PushCommit", func(t *testing.T) {
-					//Setup git LFS
-					_, err = git.NewCommand("lfs").AddArguments("install").RunInDir(dstPath)
-					assert.NoError(t, err)
-					_, err = git.NewCommand("lfs").AddArguments("track", "data-file-*").RunInDir(dstPath)
-					assert.NoError(t, err)
-					err = git.AddChanges(dstPath, false, ".gitattributes")
-					assert.NoError(t, err)
+			t.Run("CreateRepo", doAPICreateRepository(httpContext, false))
 
-					t.Run("Little", func(t *testing.T) {
-						commitAndPush(t, littleSize, dstPath)
-					})
-					t.Run("Big", func(t *testing.T) {
-						commitAndPush(t, bigSize, dstPath)
-					})
+			u.Path = httpContext.GitPath()
+			u.User = url.UserPassword(username, userPassword)
+
+			t.Run("Clone", doGitClone(dstPath, u))
+
+			t.Run("PushCommit", func(t *testing.T) {
+				t.Run("Little", func(t *testing.T) {
+					commitAndPush(t, littleSize, dstPath)
 				})
-				t.Run("Locks", func(t *testing.T) {
-					lockTest(t, u.String(), dstPath)
+				t.Run("Big", func(t *testing.T) {
+					commitAndPush(t, bigSize, dstPath)
 				})
 			})
 		})
-		t.Run("SSH", func(t *testing.T) {
-			//Setup remote link
-			u.Scheme = "ssh"
-			u.User = url.User("git")
-			u.Host = fmt.Sprintf("%s:%d", setting.SSH.ListenHost, setting.SSH.ListenPort)
-			u.Path = "user2/repo-tmp-18.git"
+		t.Run("LFS", func(t *testing.T) {
+			t.Run("PushCommit", func(t *testing.T) {
+				//Setup git LFS
+				_, err = git.NewCommand("lfs").AddArguments("install").RunInDir(dstPath)
+				assert.NoError(t, err)
+				_, err = git.NewCommand("lfs").AddArguments("track", "data-file-*").RunInDir(dstPath)
+				assert.NoError(t, err)
+				err = git.AddChanges(dstPath, false, ".gitattributes")
+				assert.NoError(t, err)
 
-			//Setup key
-			keyFile := filepath.Join(setting.AppDataPath, "my-testing-key")
-			err := exec.Command("ssh-keygen", "-f", keyFile, "-t", "rsa", "-N", "").Run()
-			assert.NoError(t, err)
-			defer os.RemoveAll(keyFile)
-			defer os.RemoveAll(keyFile + ".pub")
-
-			session := loginUser(t, "user1")
-			keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
-			token := getTokenForLoggedInUser(t, session)
-			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
-
-			dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
-			assert.NoError(t, err)
-			req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
-				"key":   string(dataPubKey),
-				"title": "test-key",
+				t.Run("Little", func(t *testing.T) {
+					commitAndPush(t, littleSize, dstPath)
+				})
+				t.Run("Big", func(t *testing.T) {
+					commitAndPush(t, bigSize, dstPath)
+				})
 			})
-			session.MakeRequest(t, req, http.StatusCreated)
+			t.Run("Locks", func(t *testing.T) {
+				lockTest(t, u.String(), dstPath)
+			})
+		})
+	})
+	t.Run("SSH", func(t *testing.T) {
+		sshContext := baseAPITestContext
+		sshContext.Reponame = "repo-tmp-18"
+		keyname := "my-testing-key"
+		//Setup key the user ssh key
+		withKeyFile(t, keyname, func(keyFile string) {
+			t.Run("CreateUserKey", doAPICreateUserKey(sshContext, "test-key", keyFile))
 
-			//Setup ssh wrapper
-			os.Setenv("GIT_SSH_COMMAND",
-				"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "+
-					filepath.Join(setting.AppWorkPath, keyFile))
-			os.Setenv("GIT_SSH_VARIANT", "ssh")
+			//Setup remote link
+			sshURL := createSSHUrl(sshContext.GitPath(), u)
 
 			//Setup clone folder
-			dstPath, err := ioutil.TempDir("", "repo-tmp-18")
+			dstPath, err := ioutil.TempDir("", sshContext.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 
 			t.Run("Standard", func(t *testing.T) {
-				t.Run("CreateRepo", func(t *testing.T) {
-					session := loginUser(t, "user2")
-					token := getTokenForLoggedInUser(t, session)
-					req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+token, &api.CreateRepoOption{
-						AutoInit:    true,
-						Description: "Temporary repo",
-						Name:        "repo-tmp-18",
-						Private:     false,
-						Gitignores:  "",
-						License:     "WTFPL",
-						Readme:      "Default",
-					})
-					session.MakeRequest(t, req, http.StatusCreated)
-				})
+				t.Run("CreateRepo", doAPICreateRepository(sshContext, false))
+
 				//TODO get url from api
-				t.Run("Clone", func(t *testing.T) {
-					_, err = git.NewCommand("clone").AddArguments(u.String(), dstPath).Run()
-					assert.NoError(t, err)
-					assert.True(t, com.IsExist(filepath.Join(dstPath, "README.md")))
-				})
+				t.Run("Clone", doGitClone(dstPath, sshURL))
+
 				//time.Sleep(5 * time.Minute)
 				t.Run("PushCommit", func(t *testing.T) {
 					t.Run("Little", func(t *testing.T) {
@@ -217,10 +135,20 @@ func TestGit(t *testing.T) {
 					lockTest(t, u.String(), dstPath)
 				})
 			})
+
 		})
+
 	})
 }
 
+func ensureAnonymousClone(t *testing.T, u *url.URL) {
+	dstLocalPath, err := ioutil.TempDir("", "repo1")
+	assert.NoError(t, err)
+	defer os.RemoveAll(dstLocalPath)
+	t.Run("CloneAnonymous", doGitClone(dstLocalPath, u))
+
+}
+
 func lockTest(t *testing.T, remote, repoPath string) {
 	_, err := git.NewCommand("remote").AddArguments("set-url", "origin", remote).RunInDir(repoPath) //TODO add test ssh git-lfs-creds
 	assert.NoError(t, err)

integrations/release_test.go

@@ -112,7 +112,7 @@ func TestCreateReleasePaging(t *testing.T) {
 
 	checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.12", i18n.Tr("en", "repo.release.draft"), 10)
 
-	// Check that user3 does not see draft and still see 10 latest releases
-	session2 := loginUser(t, "user3")
+	// Check that user4 does not see draft and still see 10 latest releases
+	session2 := loginUser(t, "user4")
 	checkLatestReleaseAndCount(t, session2, "/user2/repo1", "v0.0.11", i18n.Tr("en", "repo.release.stable"), 10)
 }

integrations/ssh_key_test.go

@@ -0,0 +1,217 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"code.gitea.io/git"
+	api "code.gitea.io/sdk/gitea"
+	"github.com/stretchr/testify/assert"
+)
+
+func doCheckRepositoryEmptyStatus(ctx APITestContext, isEmpty bool) func(*testing.T) {
+	return doAPIGetRepository(ctx, func(t *testing.T, repository api.Repository) {
+		assert.Equal(t, isEmpty, repository.Empty)
+	})
+}
+
+func doAddChangesToCheckout(dstPath, filename string) func(*testing.T) {
+	return func(t *testing.T) {
+		assert.NoError(t, ioutil.WriteFile(filepath.Join(dstPath, filename), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s at time: %v", dstPath, time.Now())), 0644))
+		assert.NoError(t, git.AddChanges(dstPath, true))
+		signature := git.Signature{
+			Email: "test@example.com",
+			Name:  "test",
+			When:  time.Now(),
+		}
+		assert.NoError(t, git.CommitChanges(dstPath, git.CommitChangesOptions{
+			Committer: &signature,
+			Author:    &signature,
+			Message:   "Initial Commit",
+		}))
+	}
+}
+
+func TestPushDeployKeyOnEmptyRepo(t *testing.T) {
+	onGiteaRun(t, testPushDeployKeyOnEmptyRepo)
+}
+
+func testPushDeployKeyOnEmptyRepo(t *testing.T, u *url.URL) {
+	// OK login
+	ctx := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1")
+	keyname := fmt.Sprintf("%s-push", ctx.Reponame)
+	u.Path = ctx.GitPath()
+
+	t.Run("CreateEmptyRepository", doAPICreateRepository(ctx, true))
+
+	t.Run("CheckIsEmpty", doCheckRepositoryEmptyStatus(ctx, true))
+
+	withKeyFile(t, keyname, func(keyFile string) {
+		t.Run("CreatePushDeployKey", doAPICreateDeployKey(ctx, keyname, keyFile, false))
+
+		// Setup the testing repository
+		dstPath, err := ioutil.TempDir("", "repo-tmp-deploy-key-empty-repo-1")
+		assert.NoError(t, err)
+		defer os.RemoveAll(dstPath)
+
+		t.Run("InitTestRepository", doGitInitTestRepository(dstPath))
+
+		//Setup remote link
+		sshURL := createSSHUrl(ctx.GitPath(), u)
+
+		t.Run("AddRemote", doGitAddRemote(dstPath, "origin", sshURL))
+
+		t.Run("SSHPushTestRepository", doGitPushTestRepository(dstPath, "origin", "master"))
+
+		t.Run("CheckIsNotEmpty", doCheckRepositoryEmptyStatus(ctx, false))
+
+		t.Run("DeleteRepository", doAPIDeleteRepository(ctx))
+	})
+}
+
+func TestKeyOnlyOneType(t *testing.T) {
+	onGiteaRun(t, testKeyOnlyOneType)
+}
+
+func testKeyOnlyOneType(t *testing.T, u *url.URL) {
+	// Once a key is a user key we cannot use it as a deploy key
+	// If we delete it from the user we should be able to use it as a deploy key
+	reponame := "ssh-key-test-repo"
+	username := "user2"
+	u.Path = fmt.Sprintf("%s/%s.git", username, reponame)
+	keyname := fmt.Sprintf("%s-push", reponame)
+
+	// OK login
+	ctx := NewAPITestContext(t, username, reponame)
+
+	otherCtx := ctx
+	otherCtx.Reponame = "ssh-key-test-repo-2"
+
+	failCtx := ctx
+	failCtx.ExpectedCode = http.StatusUnprocessableEntity
+
+	t.Run("CreateRepository", doAPICreateRepository(ctx, false))
+	t.Run("CreateOtherRepository", doAPICreateRepository(otherCtx, false))
+
+	withKeyFile(t, keyname, func(keyFile string) {
+		var userKeyPublicKeyID int64
+		t.Run("KeyCanOnlyBeUser", func(t *testing.T) {
+			dstPath, err := ioutil.TempDir("", ctx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstPath)
+
+			sshURL := createSSHUrl(ctx.GitPath(), u)
+
+			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
+
+			t.Run("CreateUserKey", doAPICreateUserKey(ctx, keyname, keyFile, func(t *testing.T, publicKey api.PublicKey) {
+				userKeyPublicKeyID = publicKey.ID
+			}))
+
+			t.Run("FailToAddReadOnlyDeployKey", doAPICreateDeployKey(failCtx, keyname, keyFile, true))
+
+			t.Run("FailToAddDeployKey", doAPICreateDeployKey(failCtx, keyname, keyFile, false))
+
+			t.Run("Clone", doGitClone(dstPath, sshURL))
+
+			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES1.md"))
+
+			t.Run("Push", doGitPushTestRepository(dstPath, "origin", "master"))
+
+			t.Run("DeleteUserKey", doAPIDeleteUserKey(ctx, userKeyPublicKeyID))
+		})
+
+		t.Run("KeyCanBeAnyDeployButNotUserAswell", func(t *testing.T) {
+			dstPath, err := ioutil.TempDir("", ctx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstPath)
+
+			sshURL := createSSHUrl(ctx.GitPath(), u)
+
+			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
+
+			// Should now be able to add...
+			t.Run("AddReadOnlyDeployKey", doAPICreateDeployKey(ctx, keyname, keyFile, true))
+
+			t.Run("Clone", doGitClone(dstPath, sshURL))
+
+			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES2.md"))
+
+			t.Run("FailToPush", doGitPushTestRepositoryFail(dstPath, "origin", "master"))
+
+			otherSSHURL := createSSHUrl(otherCtx.GitPath(), u)
+			dstOtherPath, err := ioutil.TempDir("", otherCtx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstOtherPath)
+
+			t.Run("AddWriterDeployKeyToOther", doAPICreateDeployKey(otherCtx, keyname, keyFile, false))
+
+			t.Run("CloneOther", doGitClone(dstOtherPath, otherSSHURL))
+
+			t.Run("AddChangesToOther", doAddChangesToCheckout(dstOtherPath, "CHANGES3.md"))
+
+			t.Run("PushToOther", doGitPushTestRepository(dstOtherPath, "origin", "master"))
+
+			t.Run("FailToCreateUserKey", doAPICreateUserKey(failCtx, keyname, keyFile))
+		})
+
+		t.Run("DeleteRepositoryShouldReleaseKey", func(t *testing.T) {
+			otherSSHURL := createSSHUrl(otherCtx.GitPath(), u)
+			dstOtherPath, err := ioutil.TempDir("", otherCtx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstOtherPath)
+
+			t.Run("DeleteRepository", doAPIDeleteRepository(ctx))
+
+			t.Run("FailToCreateUserKeyAsStillDeploy", doAPICreateUserKey(failCtx, keyname, keyFile))
+
+			t.Run("MakeSureCloneOtherStillWorks", doGitClone(dstOtherPath, otherSSHURL))
+
+			t.Run("AddChangesToOther", doAddChangesToCheckout(dstOtherPath, "CHANGES3.md"))
+
+			t.Run("PushToOther", doGitPushTestRepository(dstOtherPath, "origin", "master"))
+
+			t.Run("DeleteOtherRepository", doAPIDeleteRepository(otherCtx))
+
+			t.Run("RecreateRepository", doAPICreateRepository(ctx, false))
+
+			t.Run("CreateUserKey", doAPICreateUserKey(ctx, keyname, keyFile, func(t *testing.T, publicKey api.PublicKey) {
+				userKeyPublicKeyID = publicKey.ID
+			}))
+
+			dstPath, err := ioutil.TempDir("", ctx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstPath)
+
+			sshURL := createSSHUrl(ctx.GitPath(), u)
+
+			t.Run("Clone", doGitClone(dstPath, sshURL))
+
+			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES1.md"))
+
+			t.Run("Push", doGitPushTestRepository(dstPath, "origin", "master"))
+		})
+
+		t.Run("DeleteUserKeyShouldRemoveAbilityToClone", func(t *testing.T) {
+			dstPath, err := ioutil.TempDir("", ctx.Reponame)
+			assert.NoError(t, err)
+			defer os.RemoveAll(dstPath)
+
+			sshURL := createSSHUrl(ctx.GitPath(), u)
+
+			t.Run("DeleteUserKey", doAPIDeleteUserKey(ctx, userKeyPublicKeyID))
+
+			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
+		})
+	})
+}

main.go

@@ -8,6 +8,7 @@ package main // import "code.gitea.io/gitea"
 
 import (
 	"os"
+	"runtime"
 	"strings"
 
 	"code.gitea.io/gitea/cmd"
@@ -61,8 +62,8 @@ arguments - which can alternatively be run by running the subcommand web.`
 
 func formatBuiltWith(Tags string) string {
 	if len(Tags) == 0 {
-		return ""
+		return " built with " + runtime.Version()
 	}
 
-	return " built with: " + strings.Replace(Tags, " ", ", ", -1)
+	return " built with " + runtime.Version() + " : " + strings.Replace(Tags, " ", ", ", -1)
 }

models/action.go

@@ -476,8 +476,34 @@ func getIssueFromRef(repo *Repository, ref string) (*Issue, error) {
 	return issue, nil
 }
 
+func changeIssueStatus(repo *Repository, doer *User, ref string, refMarked map[int64]bool, status bool) error {
+	issue, err := getIssueFromRef(repo, ref)
+	if err != nil {
+		return err
+	}
+
+	if issue == nil || refMarked[issue.ID] {
+		return nil
+	}
+	refMarked[issue.ID] = true
+
+	if issue.RepoID != repo.ID || issue.IsClosed == status {
+		return nil
+	}
+
+	issue.Repo = repo
+	if err = issue.ChangeStatus(doer, status); err != nil {
+		// Don't return an error when dependencies are open as this would let the push fail
+		if IsErrDependenciesLeft(err) {
+			return nil
+		}
+		return err
+	}
+	return nil
+}
+
 // UpdateIssuesCommit checks if issues are manipulated by commit message.
-func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit) error {
+func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, branchName string) error {
 	// Commits are appended in the reverse order.
 	for i := len(commits) - 1; i >= 0; i-- {
 		c := commits[i]
@@ -500,51 +526,21 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit) err
 			}
 		}
 
+		// Change issue status only if the commit has been pushed to the default branch.
+		if repo.DefaultBranch != branchName {
+			continue
+		}
+
 		refMarked = make(map[int64]bool)
-		// FIXME: can merge this one and next one to a common function.
 		for _, ref := range issueCloseKeywordsPat.FindAllString(c.Message, -1) {
-			issue, err := getIssueFromRef(repo, ref)
-			if err != nil {
-				return err
-			}
-
-			if issue == nil || refMarked[issue.ID] {
-				continue
-			}
-			refMarked[issue.ID] = true
-
-			if issue.RepoID != repo.ID || issue.IsClosed {
-				continue
-			}
-
-			issue.Repo = repo
-			if err = issue.ChangeStatus(doer, true); err != nil {
-				// Don't return an error when dependencies are open as this would let the push fail
-				if IsErrDependenciesLeft(err) {
-					return nil
-				}
+			if err := changeIssueStatus(repo, doer, ref, refMarked, true); err != nil {
 				return err
 			}
 		}
 
 		// It is conflict to have close and reopen at same time, so refsMarked doesn't need to reinit here.
 		for _, ref := range issueReopenKeywordsPat.FindAllString(c.Message, -1) {
-			issue, err := getIssueFromRef(repo, ref)
-			if err != nil {
-				return err
-			}
-
-			if issue == nil || refMarked[issue.ID] {
-				continue
-			}
-			refMarked[issue.ID] = true
-
-			if issue.RepoID != repo.ID || !issue.IsClosed {
-				continue
-			}
-
-			issue.Repo = repo
-			if err = issue.ChangeStatus(doer, false); err != nil {
+			if err := changeIssueStatus(repo, doer, ref, refMarked, false); err != nil {
 				return err
 			}
 		}
@@ -609,7 +605,7 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 			opts.Commits.CompareURL = repo.ComposeCompareURL(opts.OldCommitID, opts.NewCommitID)
 		}
 
-		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits); err != nil {
+		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits, refName); err != nil {
 			log.Error(4, "updateIssuesCommit: %v", err)
 		}
 	}

models/action_test.go

@@ -227,10 +227,37 @@ func TestUpdateIssuesCommit(t *testing.T) {
 
 	AssertNotExistsBean(t, commentBean)
 	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 2}, "is_closed=1")
-	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits))
+	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, repo.DefaultBranch))
 	AssertExistsAndLoadBean(t, commentBean)
 	AssertExistsAndLoadBean(t, issueBean, "is_closed=1")
 	CheckConsistencyFor(t, &Action{})
+
+	// Test that push to a non-default branch closes no issue.
+	pushCommits = []*PushCommit{
+		{
+			Sha1:           "abcdef1",
+			CommitterEmail: "user2@example.com",
+			CommitterName:  "User Two",
+			AuthorEmail:    "user4@example.com",
+			AuthorName:     "User Four",
+			Message:        "close #1",
+		},
+	}
+	repo = AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
+	commentBean = &Comment{
+		Type:      CommentTypeCommitRef,
+		CommitSHA: "abcdef1",
+		PosterID:  user.ID,
+		IssueID:   6,
+	}
+	issueBean = &Issue{RepoID: repo.ID, Index: 1}
+
+	AssertNotExistsBean(t, commentBean)
+	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 1}, "is_closed=1")
+	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, "non-existing-branch"))
+	AssertExistsAndLoadBean(t, commentBean)
+	AssertNotExistsBean(t, issueBean, "is_closed=1")
+	CheckConsistencyFor(t, &Action{})
 }
 
 func testCorrectRepoAction(t *testing.T, opts CommitRepoActionOptions, actionBean *Action) {

models/error.go

@@ -90,6 +90,38 @@ func (err ErrUserNotExist) Error() string {
 	return fmt.Sprintf("user does not exist [uid: %d, name: %s, keyid: %d]", err.UID, err.Name, err.KeyID)
 }
 
+// ErrUserProhibitLogin represents a "ErrUserProhibitLogin" kind of error.
+type ErrUserProhibitLogin struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserProhibitLogin checks if an error is a ErrUserProhibitLogin
+func IsErrUserProhibitLogin(err error) bool {
+	_, ok := err.(ErrUserProhibitLogin)
+	return ok
+}
+
+func (err ErrUserProhibitLogin) Error() string {
+	return fmt.Sprintf("user is not allowed login [uid: %d, name: %s]", err.UID, err.Name)
+}
+
+// ErrUserInactive represents a "ErrUserInactive" kind of error.
+type ErrUserInactive struct {
+	UID  int64
+	Name string
+}
+
+// IsErrUserInactive checks if an error is a ErrUserInactive
+func IsErrUserInactive(err error) bool {
+	_, ok := err.(ErrUserInactive)
+	return ok
+}
+
+func (err ErrUserInactive) Error() string {
+	return fmt.Sprintf("user is inactive [uid: %d, name: %s]", err.UID, err.Name)
+}
+
 // ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
 type ErrEmailAlreadyUsed struct {
 	Email string

models/git_diff.go

@@ -550,7 +550,12 @@ func ParsePatch(maxLines, maxLineCharacters, maxFiles int, reader io.Reader) (*D
 			beg := len(cmdDiffHead)
 			a := line[beg+2 : middle]
 			b := line[middle+3:]
+
 			if hasQuote {
+				// Keep the entire string in double quotes for now
+				a = line[beg:middle]
+				b = line[middle+1:]
+
 				var err error
 				a, err = strconv.Unquote(a)
 				if err != nil {
@@ -560,6 +565,10 @@ func ParsePatch(maxLines, maxLineCharacters, maxFiles int, reader io.Reader) (*D
 				if err != nil {
 					return nil, fmt.Errorf("Unquote: %v", err)
 				}
+				// Now remove the /a /b
+				a = a[2:]
+				b = b[2:]
+
 			}
 
 			curFile = &DiffFile{
@@ -637,6 +646,7 @@ func ParsePatch(maxLines, maxLineCharacters, maxFiles int, reader io.Reader) (*D
 			}
 		}
 	}
+
 	return diff, nil
 }
 

models/git_diff_test.go

@@ -5,6 +5,8 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/modules/setting"
+
 	dmp "github.com/sergi/go-diff/diffmatchpatch"
 	"github.com/stretchr/testify/assert"
 )
@@ -99,6 +101,59 @@ func ExampleCutDiffAroundLine() {
 	println(result)
 }
 
+func TestParsePatch(t *testing.T) {
+	var diff = `diff --git "a/README.md" "b/README.md"
+--- a/README.md
++++ b/README.md
+@@ -1,3 +1,6 @@
+ # gitea-github-migrator
++
++ Build Status
+- Latest Release
+ Docker Pulls
++ cut off
++ cut off`
+	result, err := ParsePatch(setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(diff))
+	if err != nil {
+		t.Errorf("ParsePatch failed: %s", err)
+	}
+	println(result)
+
+	var diff2 = `diff --git "a/A \\ B" "b/A \\ B"
+--- "a/A \\ B"
++++ "b/A \\ B"
+@@ -1,3 +1,6 @@
+ # gitea-github-migrator
++
++ Build Status
+- Latest Release
+ Docker Pulls
++ cut off
++ cut off`
+	result, err = ParsePatch(setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(diff2))
+	if err != nil {
+		t.Errorf("ParsePatch failed: %s", err)
+	}
+	println(result)
+
+	var diff3 = `diff --git a/README.md b/README.md
+--- a/README.md
++++ b/README.md
+@@ -1,3 +1,6 @@
+ # gitea-github-migrator
++
++ Build Status
+- Latest Release
+ Docker Pulls
++ cut off
++ cut off`
+	result, err = ParsePatch(setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(diff3))
+	if err != nil {
+		t.Errorf("ParsePatch failed: %s", err)
+	}
+	println(result)
+}
+
 func setupDefaultDiff() *Diff {
 	return &Diff{
 		Files: []*DiffFile{

models/issue.go

@@ -1402,7 +1402,7 @@ func UpdateIssueMentions(e Engine, issueID int64, mentions []string) error {
 		}
 
 		memberIDs := make([]int64, 0, user.NumMembers)
-		orgUsers, err := GetOrgUsersByOrgID(user.ID)
+		orgUsers, err := getOrgUsersByOrgID(e, user.ID)
 		if err != nil {
 			return fmt.Errorf("GetOrgUsersByOrgID [%d]: %v", user.ID, err)
 		}

models/issue_assignees.go

@@ -44,7 +44,11 @@ func (issue *Issue) loadAssignees(e Engine) (err error) {
 
 // GetAssigneesByIssue returns everyone assigned to that issue
 func GetAssigneesByIssue(issue *Issue) (assignees []*User, err error) {
-	err = issue.loadAssignees(x)
+	return getAssigneesByIssue(x, issue)
+}
+
+func getAssigneesByIssue(e Engine, issue *Issue) (assignees []*User, err error) {
+	err = issue.loadAssignees(e)
 	if err != nil {
 		return assignees, err
 	}
@@ -173,7 +177,7 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
 		issue.PullRequest.Issue = issue
 		apiPullRequest := &api.PullRequestPayload{
 			Index:       issue.Index,
-			PullRequest: issue.PullRequest.APIFormat(),
+			PullRequest: issue.PullRequest.apiFormat(sess),
 			Repository:  issue.Repo.innerAPIFormat(sess, mode, false),
 			Sender:      doer.APIFormat(),
 		}

models/issue_comment.go

@@ -748,6 +748,9 @@ func createIssueDependencyComment(e *xorm.Session, doer *User, issue *Issue, dep
 	if !add {
 		cType = CommentTypeRemoveDependency
 	}
+	if err = issue.loadRepo(e); err != nil {
+		return
+	}
 
 	// Make two comments, one in each issue
 	_, err = createComment(e, &CreateCommentOptions{

models/issue_dependency_test.go

@@ -19,11 +19,9 @@ func TestCreateIssueDependency(t *testing.T) {
 
 	issue1, err := GetIssueByID(1)
 	assert.NoError(t, err)
-	issue1.LoadAttributes()
 
 	issue2, err := GetIssueByID(2)
 	assert.NoError(t, err)
-	issue2.LoadAttributes()
 
 	// Create a dependency and check if it was successful
 	err = CreateIssueDependency(user1, issue1, issue2)

models/issue_mail.go

@@ -39,16 +39,16 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content
 
 	// In case the issue poster is not watching the repository and is active,
 	// even if we have duplicated in watchers, can be safely filtered out.
-	poster, err := getUserByID(e, issue.PosterID)
+	err = issue.loadPoster(e)
 	if err != nil {
 		return fmt.Errorf("GetUserByID [%d]: %v", issue.PosterID, err)
 	}
-	if issue.PosterID != doer.ID && poster.IsActive && !poster.ProhibitLogin {
+	if issue.PosterID != doer.ID && issue.Poster.IsActive && !issue.Poster.ProhibitLogin {
 		participants = append(participants, issue.Poster)
 	}
 
 	// Assignees must receive any communications
-	assignees, err := GetAssigneesByIssue(issue)
+	assignees, err := getAssigneesByIssue(e, issue)
 	if err != nil {
 		return err
 	}
@@ -88,6 +88,10 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content
 		names = append(names, participants[i].Name)
 	}
 
+	if err := issue.loadRepo(e); err != nil {
+		return err
+	}
+
 	for _, to := range tos {
 		SendIssueCommentMail(issue, doer, content, comment, []string{to})
 	}

models/issue_user.go

@@ -54,7 +54,7 @@ func newIssueUsers(e Engine, repo *Repository, issue *Issue) error {
 func updateIssueAssignee(e *xorm.Session, issue *Issue, assigneeID int64) (removed bool, err error) {
 
 	// Check if the user exists
-	assignee, err := GetUserByID(assigneeID)
+	assignee, err := getUserByID(e, assigneeID)
 	if err != nil {
 		return false, err
 	}

models/login_source.go

@@ -600,16 +600,29 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource,
 		return nil, ErrLoginSourceNotActived
 	}
 
+	var err error
 	switch source.Type {
 	case LoginLDAP, LoginDLDAP:
-		return LoginViaLDAP(user, login, password, source, autoRegister)
+		user, err = LoginViaLDAP(user, login, password, source, autoRegister)
 	case LoginSMTP:
-		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
+		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
 	case LoginPAM:
-		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
+		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
+	default:
+		return nil, ErrUnsupportedLoginType
 	}
 
-	return nil, ErrUnsupportedLoginType
+	if err != nil {
+		return nil, err
+	}
+
+	// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
+	// user could be hint to resend confirm email.
+	if user.ProhibitLogin {
+		return nil, ErrUserProhibitLogin{user.ID, user.Name}
+	}
+
+	return user, nil
 }
 
 // UserSignIn validates user name and password.
@@ -644,7 +657,13 @@ func UserSignIn(username, password string) (*User, error) {
 	if hasUser {
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
-			if user.ValidatePassword(password) {
+			if user.IsPasswordSet() && user.ValidatePassword(password) {
+				// WARN: DON'T check user.IsActive, that will be checked on reqSign so that
+				// user could be hint to resend confirm email.
+				if user.ProhibitLogin {
+					return nil, ErrUserProhibitLogin{user.ID, user.Name}
+				}
+
 				return user, nil
 			}
 

models/org.go

@@ -393,8 +393,12 @@ func GetOrgUsersByUserID(uid int64, all bool) ([]*OrgUser, error) {
 
 // GetOrgUsersByOrgID returns all organization-user relations by organization ID.
 func GetOrgUsersByOrgID(orgID int64) ([]*OrgUser, error) {
+	return getOrgUsersByOrgID(x, orgID)
+}
+
+func getOrgUsersByOrgID(e Engine, orgID int64) ([]*OrgUser, error) {
 	ous := make([]*OrgUser, 0, 10)
-	err := x.
+	err := e.
 		Where("org_id=?", orgID).
 		Find(&ous)
 	return ous, err

models/pull.go

@@ -366,7 +366,7 @@ func (pr *PullRequest) Merge(doer *User, baseGitRepo *git.Repository, mergeStyle
 		return fmt.Errorf("Failed to create dir %s: %v", tmpBasePath, err)
 	}
 
-	defer os.RemoveAll(path.Dir(tmpBasePath))
+	defer os.RemoveAll(tmpBasePath)
 
 	var stderr string
 	if _, stderr, err = process.GetManager().ExecTimeout(5*time.Minute,

models/repo.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"html/template"
 	"io/ioutil"
+	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -34,8 +35,8 @@ import (
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/builder"
 	"github.com/go-xorm/xorm"
-	"github.com/mcuadros/go-version"
-	"gopkg.in/ini.v1"
+	version "github.com/mcuadros/go-version"
+	ini "gopkg.in/ini.v1"
 )
 
 var repoWorkingPool = sync.NewExclusivePool()
@@ -718,10 +719,12 @@ var (
 
 // DescriptionHTML does special handles to description and return HTML string.
 func (repo *Repository) DescriptionHTML() template.HTML {
-	sanitize := func(s string) string {
-		return fmt.Sprintf(`<a href="%[1]s" target="_blank" rel="noopener noreferrer">%[1]s</a>`, s)
+	desc, err := markup.RenderDescriptionHTML([]byte(repo.Description), repo.HTMLURL(), repo.ComposeMetas())
+	if err != nil {
+		log.Error(4, "Failed to render description for %s (ID: %d): %v", repo.Name, repo.ID, err)
+		return template.HTML(markup.Sanitize(repo.Description))
 	}
-	return template.HTML(descPattern.ReplaceAllStringFunc(markup.Sanitize(repo.Description), sanitize))
+	return template.HTML(markup.Sanitize(string(desc)))
 }
 
 // LocalCopyPath returns the local repository copy path.
@@ -824,7 +827,7 @@ type CloneLink struct {
 
 // ComposeHTTPSCloneURL returns HTTPS clone URL based on given owner and repository name.
 func ComposeHTTPSCloneURL(owner, repo string) string {
-	return fmt.Sprintf("%s%s/%s.git", setting.AppURL, owner, repo)
+	return fmt.Sprintf("%s%s/%s.git", setting.AppURL, url.QueryEscape(owner), url.QueryEscape(repo))
 }
 
 func (repo *Repository) cloneLink(e Engine, isWiki bool) *CloneLink {
@@ -1063,9 +1066,11 @@ func CleanUpMigrateInfo(repo *Repository) (*Repository, error) {
 		}
 	}
 
-	if err := cleanUpMigrateGitConfig(repo.GitConfigPath()); err != nil {
-		return repo, fmt.Errorf("cleanUpMigrateGitConfig: %v", err)
+	_, err := git.NewCommand("remote", "remove", "origin").RunInDir(repoPath)
+	if err != nil && !strings.HasPrefix(err.Error(), "exit status 128 - fatal: No such remote ") {
+		return repo, fmt.Errorf("CleanUpMigrateInfo: %v", err)
 	}
+
 	if repo.HasWiki() {
 		if err := cleanUpMigrateGitConfig(path.Join(repo.WikiPath(), "config")); err != nil {
 			return repo, fmt.Errorf("cleanUpMigrateGitConfig (wiki): %v", err)
@@ -1345,26 +1350,27 @@ func createRepository(e *xorm.Session, doer, u *User, repo *Repository) (err err
 
 	if err = watchRepo(e, doer.ID, repo.ID, true); err != nil {
 		return fmt.Errorf("watchRepo: %v", err)
-	} else if err = newRepoAction(e, u, repo); err != nil {
+	} else if err = newRepoAction(e, doer, repo); err != nil {
 		return fmt.Errorf("newRepoAction: %v", err)
 	}
 
 	return nil
 }
 
-// CreateRepository creates a repository for the user/organization u.
+// CreateRepository creates a repository for the user/organization.
 func CreateRepository(doer, u *User, opts CreateRepoOptions) (_ *Repository, err error) {
 	if !doer.IsAdmin && !u.CanCreateRepo() {
 		return nil, ErrReachLimitOfRepo{u.MaxRepoCreation}
 	}
 
 	repo := &Repository{
-		OwnerID:     u.ID,
-		Owner:       u,
-		Name:        opts.Name,
-		LowerName:   strings.ToLower(opts.Name),
-		Description: opts.Description,
-		IsPrivate:   opts.IsPrivate,
+		OwnerID:       u.ID,
+		Owner:         u,
+		Name:          opts.Name,
+		LowerName:     strings.ToLower(opts.Name),
+		Description:   opts.Description,
+		IsPrivate:     opts.IsPrivate,
+		IsFsckEnabled: true,
 	}
 
 	sess := x.NewSession()
@@ -1741,6 +1747,17 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 		return ErrRepoNotExist{repoID, uid, "", ""}
 	}
 
+	// Delete Deploy Keys
+	deployKeys, err := listDeployKeys(sess, repo.ID)
+	if err != nil {
+		return fmt.Errorf("listDeployKeys: %v", err)
+	}
+	for _, dKey := range deployKeys {
+		if err := deleteDeployKey(sess, doer, dKey.ID); err != nil {
+			return fmt.Errorf("deleteDeployKeys: %v", err)
+		}
+	}
+
 	if cnt, err := sess.ID(repoID).Delete(&Repository{}); err != nil {
 		return err
 	} else if cnt != 1 {
@@ -1772,6 +1789,7 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 		&Webhook{RepoID: repoID},
 		&HookTask{RepoID: repoID},
 		&Notification{RepoID: repoID},
+		&CommitStatus{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %v", err)
 	}
@@ -1882,6 +1900,12 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 	}
 
 	if err = sess.Commit(); err != nil {
+		if len(deployKeys) > 0 {
+			// We need to rewrite the public keys because the commit failed
+			if err2 := RewriteAllPublicKeys(); err2 != nil {
+				return fmt.Errorf("Commit: %v SSH Keys: %v", err, err2)
+			}
+		}
 		return fmt.Errorf("Commit: %v", err)
 	}
 

models/repo_branch.go

@@ -70,10 +70,6 @@ func (repo *Repository) CheckBranchName(name string) error {
 		return err
 	}
 
-	if _, err := gitRepo.GetTag(name); err == nil {
-		return ErrTagAlreadyExists{name}
-	}
-
 	branches, err := repo.GetBranches()
 	if err != nil {
 		return err
@@ -87,6 +83,11 @@ func (repo *Repository) CheckBranchName(name string) error {
 			return ErrBranchNameConflict{branch.Name}
 		}
 	}
+
+	if _, err := gitRepo.GetTag(name); err == nil {
+		return ErrTagAlreadyExists{name}
+	}
+
 	return nil
 }
 

models/repo_mirror.go

@@ -20,7 +20,6 @@ import (
 
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/xorm"
-	"gopkg.in/ini.v1"
 )
 
 // MirrorQueue holds an UniqueQueue object of the mirror
@@ -71,11 +70,18 @@ func (m *Mirror) ScheduleNextUpdate() {
 }
 
 func remoteAddress(repoPath string) (string, error) {
-	cfg, err := ini.Load(GitConfigPath(repoPath))
+	cmd := git.NewCommand("remote", "get-url", "origin")
+	result, err := cmd.RunInDir(repoPath)
 	if err != nil {
+		if strings.HasPrefix(err.Error(), "exit status 128 - fatal: No such remote ") {
+			return "", nil
+		}
 		return "", err
 	}
-	return cfg.Section("remote \"origin\"").Key("url").Value(), nil
+	if len(result) > 0 {
+		return result[:len(result)-1], nil
+	}
+	return "", nil
 }
 
 func (m *Mirror) readAddress() {
@@ -115,14 +121,15 @@ func (m *Mirror) FullAddress() string {
 
 // SaveAddress writes new address to Git repository config.
 func (m *Mirror) SaveAddress(addr string) error {
-	configPath := m.Repo.GitConfigPath()
-	cfg, err := ini.Load(configPath)
-	if err != nil {
-		return fmt.Errorf("Load: %v", err)
+	repoPath := m.Repo.RepoPath()
+	// Remove old origin
+	_, err := git.NewCommand("remote", "remove", "origin").RunInDir(repoPath)
+	if err != nil && !strings.HasPrefix(err.Error(), "exit status 128 - fatal: No such remote ") {
+		return err
 	}
 
-	cfg.Section("remote \"origin\"").Key("url").SetValue(addr)
-	return cfg.SaveToIndent(configPath, "\t")
+	_, err = git.NewCommand("remote", "add", "origin", addr).RunInDir(repoPath)
+	return err
 }
 
 // gitShortEmptySha Git short empty SHA

models/repo_permission.go

@@ -151,6 +151,15 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
 		return
 	}
 
+	// if user in an owner team
+	for _, team := range teams {
+		if team.Authorize >= AccessModeOwner {
+			perm.AccessMode = AccessModeOwner
+			perm.UnitsMode = nil
+			return
+		}
+	}
+
 	for _, u := range repo.Units {
 		var found bool
 		for _, team := range teams {
@@ -229,7 +238,7 @@ func accessLevelUnit(e Engine, user *User, repo *Repository, unitType UnitType)
 	if err != nil {
 		return AccessModeNone, err
 	}
-	return perm.UnitAccessMode(UnitTypeCode), nil
+	return perm.UnitAccessMode(unitType), nil
 }
 
 func hasAccessUnit(e Engine, user *User, repo *Repository, unitType UnitType, testMode AccessMode) (bool, error) {

models/repo_permission_test.go

@@ -219,6 +219,17 @@ func TestRepoPermissionPrivateOrgRepo(t *testing.T) {
 		assert.True(t, perm.CanWrite(unit.Type))
 	}
 
+	// update team information and then check permission
+	team := AssertExistsAndLoadBean(t, &Team{ID: 5}).(*Team)
+	err = UpdateTeamUnits(team, nil)
+	assert.NoError(t, err)
+	perm, err = GetUserRepoPermission(repo, owner)
+	assert.NoError(t, err)
+	for _, unit := range repo.Units {
+		assert.True(t, perm.CanRead(unit.Type))
+		assert.True(t, perm.CanWrite(unit.Type))
+	}
+
 	// org member team tester
 	tester := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
 	perm, err = GetUserRepoPermission(repo, tester)

models/repo_watch.go

@@ -113,15 +113,15 @@ func notifyWatchers(e Engine, act *Action) error {
 
 		switch act.OpType {
 		case ActionCommitRepo, ActionPushTag, ActionDeleteTag, ActionDeleteBranch:
-			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypeCode) {
+			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypeCode) {
 				continue
 			}
 		case ActionCreateIssue, ActionCommentIssue, ActionCloseIssue, ActionReopenIssue:
-			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypeIssues) {
+			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypeIssues) {
 				continue
 			}
 		case ActionCreatePullRequest, ActionMergePullRequest, ActionClosePullRequest, ActionReopenPullRequest:
-			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypePullRequests) {
+			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypePullRequests) {
 				continue
 			}
 		}

models/ssh_key.go

@@ -51,7 +51,7 @@ type PublicKey struct {
 	ID            int64      `xorm:"pk autoincr"`
 	OwnerID       int64      `xorm:"INDEX NOT NULL"`
 	Name          string     `xorm:"NOT NULL"`
-	Fingerprint   string     `xorm:"NOT NULL"`
+	Fingerprint   string     `xorm:"INDEX NOT NULL"`
 	Content       string     `xorm:"TEXT NOT NULL"`
 	Mode          AccessMode `xorm:"NOT NULL DEFAULT 2"`
 	Type          KeyType    `xorm:"NOT NULL DEFAULT 1"`
@@ -350,7 +350,6 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 func checkKeyFingerprint(e Engine, fingerprint string) error {
 	has, err := e.Get(&PublicKey{
 		Fingerprint: fingerprint,
-		Type:        KeyTypeUser,
 	})
 	if err != nil {
 		return err
@@ -401,12 +400,18 @@ func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*Pu
 		return nil, err
 	}
 
-	if err := checkKeyFingerprint(x, fingerprint); err != nil {
+	sess := x.NewSession()
+	defer sess.Close()
+	if err = sess.Begin(); err != nil {
+		return nil, err
+	}
+
+	if err := checkKeyFingerprint(sess, fingerprint); err != nil {
 		return nil, err
 	}
 
 	// Key name of same user cannot be duplicated.
-	has, err := x.
+	has, err := sess.
 		Where("owner_id = ? AND name = ?", ownerID, name).
 		Get(new(PublicKey))
 	if err != nil {
@@ -415,12 +420,6 @@ func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*Pu
 		return nil, ErrKeyNameAlreadyUsed{ownerID, name}
 	}
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return nil, err
-	}
-
 	key := &PublicKey{
 		OwnerID:       ownerID,
 		Name:          name,
@@ -519,7 +518,7 @@ func UpdatePublicKeyUpdated(id int64) error {
 }
 
 // deletePublicKeys does the actual key deletion but does not update authorized_keys file.
-func deletePublicKeys(e *xorm.Session, keyIDs ...int64) error {
+func deletePublicKeys(e Engine, keyIDs ...int64) error {
 	if len(keyIDs) == 0 {
 		return nil
 	}
@@ -728,24 +727,28 @@ func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey
 		accessMode = AccessModeWrite
 	}
 
-	pkey := &PublicKey{
-		Fingerprint: fingerprint,
-		Mode:        accessMode,
-		Type:        KeyTypeDeploy,
-	}
-	has, err := x.Get(pkey)
-	if err != nil {
-		return nil, err
-	}
-
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return nil, err
 	}
 
-	// First time use this deploy key.
-	if !has {
+	pkey := &PublicKey{
+		Fingerprint: fingerprint,
+	}
+	has, err := sess.Get(pkey)
+	if err != nil {
+		return nil, err
+	}
+
+	if has {
+		if pkey.Type != KeyTypeDeploy {
+			return nil, ErrKeyAlreadyExist{0, fingerprint, ""}
+		}
+	} else {
+		// First time use this deploy key.
+		pkey.Mode = accessMode
+		pkey.Type = KeyTypeDeploy
 		pkey.Content = content
 		pkey.Name = name
 		if err = addKey(sess, pkey); err != nil {
@@ -763,8 +766,12 @@ func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey
 
 // GetDeployKeyByID returns deploy key by given ID.
 func GetDeployKeyByID(id int64) (*DeployKey, error) {
+	return getDeployKeyByID(x, id)
+}
+
+func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) {
 	key := new(DeployKey)
-	has, err := x.ID(id).Get(key)
+	has, err := e.ID(id).Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -775,11 +782,15 @@ func GetDeployKeyByID(id int64) (*DeployKey, error) {
 
 // GetDeployKeyByRepo returns deploy key by given public key ID and repository ID.
 func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) {
+	return getDeployKeyByRepo(x, keyID, repoID)
+}
+
+func getDeployKeyByRepo(e Engine, keyID, repoID int64) (*DeployKey, error) {
 	key := &DeployKey{
 		KeyID:  keyID,
 		RepoID: repoID,
 	}
-	has, err := x.Get(key)
+	has, err := e.Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -802,7 +813,19 @@ func UpdateDeployKey(key *DeployKey) error {
 
 // DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
 func DeleteDeployKey(doer *User, id int64) error {
-	key, err := GetDeployKeyByID(id)
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+	if err := deleteDeployKey(sess, doer, id); err != nil {
+		return err
+	}
+	return sess.Commit()
+}
+
+func deleteDeployKey(sess Engine, doer *User, id int64) error {
+	key, err := getDeployKeyByID(sess, id)
 	if err != nil {
 		if IsErrDeployKeyNotExist(err) {
 			return nil
@@ -812,11 +835,11 @@ func DeleteDeployKey(doer *User, id int64) error {
 
 	// Check if user has access to delete this key.
 	if !doer.IsAdmin {
-		repo, err := GetRepositoryByID(key.RepoID)
+		repo, err := getRepositoryByID(sess, key.RepoID)
 		if err != nil {
 			return fmt.Errorf("GetRepositoryByID: %v", err)
 		}
-		has, err := IsUserRepoAdmin(repo, doer)
+		has, err := isUserRepoAdmin(sess, repo, doer)
 		if err != nil {
 			return fmt.Errorf("GetUserRepoPermission: %v", err)
 		} else if !has {
@@ -824,12 +847,6 @@ func DeleteDeployKey(doer *User, id int64) error {
 		}
 	}
 
-	sess := x.NewSession()
-	defer sess.Close()
-	if err = sess.Begin(); err != nil {
-		return err
-	}
-
 	if _, err = sess.ID(key.ID).Delete(new(DeployKey)); err != nil {
 		return fmt.Errorf("delete deploy key [%d]: %v", key.ID, err)
 	}
@@ -844,15 +861,24 @@ func DeleteDeployKey(doer *User, id int64) error {
 		if err = deletePublicKeys(sess, key.KeyID); err != nil {
 			return err
 		}
+
+		// after deleted the public keys, should rewrite the public keys file
+		if err = rewriteAllPublicKeys(sess); err != nil {
+			return err
+		}
 	}
 
-	return sess.Commit()
+	return nil
 }
 
 // ListDeployKeys returns all deploy keys by given repository ID.
 func ListDeployKeys(repoID int64) ([]*DeployKey, error) {
+	return listDeployKeys(x, repoID)
+}
+
+func listDeployKeys(e Engine, repoID int64) ([]*DeployKey, error) {
 	keys := make([]*DeployKey, 0, 5)
-	return keys, x.
+	return keys, e.
 		Where("repo_id = ?", repoID).
 		Find(&keys)
 }

models/user.go

@@ -1461,9 +1461,12 @@ func synchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, SSHPublicKeys []str
 	// Get Public Keys from LDAP and skip duplicate keys
 	var ldapKeys []string
 	for _, v := range SSHPublicKeys {
-		ldapKey := strings.Join(strings.Split(v, " ")[:2], " ")
-		if !util.ExistsInSlice(ldapKey, ldapKeys) {
-			ldapKeys = append(ldapKeys, ldapKey)
+		sshKeySplit := strings.Split(v, " ")
+		if len(sshKeySplit) > 1 {
+			ldapKey := strings.Join(sshKeySplit[:2], " ")
+			if !util.ExistsInSlice(ldapKey, ldapKeys) {
+				ldapKeys = append(ldapKeys, ldapKey)
+			}
 		}
 	}
 

models/user_heatmap.go

@@ -32,12 +32,22 @@ func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
 		groupByName = groupBy
 	}
 
-	err := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
+	sess := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
 		Table("action").
 		Where("user_id = ?", user.ID).
-		And("created_unix > ?", (util.TimeStampNow() - 31536000)).
-		GroupBy(groupByName).
+		And("created_unix > ?", (util.TimeStampNow() - 31536000))
+
+	// * Heatmaps for individual users only include actions that the user themself
+	//   did.
+	// * For organizations actions by all users that were made in owned
+	//   repositories are counted.
+	if user.Type == UserTypeIndividual {
+		sess = sess.And("act_user_id = ?", user.ID)
+	}
+
+	err := sess.GroupBy(groupByName).
 		OrderBy("timestamp").
 		Find(&hdata)
+
 	return hdata, err
 }

models/webhook_dingtalk.go

@@ -230,12 +230,13 @@ func getDingtalkPullRequestPayload(p *api.PullRequestPayload) (*DingtalkPayload,
 		title = fmt.Sprintf("[%s] Pull request edited: #%d %s", p.Repository.FullName, p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 	case api.HookIssueAssigned:
-		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		if err != nil {
-			return &DingtalkPayload{}, err
+		list := make([]string, len(p.PullRequest.Assignees))
+		for i, user := range p.PullRequest.Assignees {
+			list[i] = user.UserName
 		}
 		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d %s", p.Repository.FullName,
-			list, p.Index, p.PullRequest.Title)
+			strings.Join(list, ", "),
+			p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 	case api.HookIssueUnassigned:
 		title = fmt.Sprintf("[%s] Pull request unassigned: #%d %s", p.Repository.FullName, p.Index, p.PullRequest.Title)

models/webhook_discord.go

@@ -347,12 +347,13 @@ func getDiscordPullRequestPayload(p *api.PullRequestPayload, meta *DiscordMeta)
 		text = p.PullRequest.Body
 		color = warnColor
 	case api.HookIssueAssigned:
-		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		if err != nil {
-			return &DiscordPayload{}, err
+		list := make([]string, len(p.PullRequest.Assignees))
+		for i, user := range p.PullRequest.Assignees {
+			list[i] = user.UserName
 		}
-		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d %s", p.Repository.FullName,
-			list, p.Index, p.PullRequest.Title)
+		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d by %s", p.Repository.FullName,
+			strings.Join(list, ", "),
+			p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 		color = successColor
 	case api.HookIssueUnassigned:

models/webhook_slack.go

@@ -160,6 +160,10 @@ func getSlackIssuesPayload(p *api.IssuePayload, slack *SlackMeta) (*SlackPayload
 		text = fmt.Sprintf("[%s] Issue labels cleared: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueSynchronized:
 		text = fmt.Sprintf("[%s] Issue synchronized: %s by %s", p.Repository.FullName, titleLink, senderLink)
+	case api.HookIssueMilestoned:
+		text = fmt.Sprintf("[%s] Issue milestoned: #%s %s", p.Repository.FullName, titleLink, senderLink)
+	case api.HookIssueDemilestoned:
+		text = fmt.Sprintf("[%s] Issue milestone cleared: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	}
 
 	return &SlackPayload{
@@ -297,12 +301,12 @@ func getSlackPullRequestPayload(p *api.PullRequestPayload, slack *SlackMeta) (*S
 		text = fmt.Sprintf("[%s] Pull request edited: %s by %s", p.Repository.FullName, titleLink, senderLink)
 		attachmentText = SlackTextFormatter(p.PullRequest.Body)
 	case api.HookIssueAssigned:
-		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		if err != nil {
-			return &SlackPayload{}, err
+		list := make([]string, len(p.PullRequest.Assignees))
+		for i, user := range p.PullRequest.Assignees {
+			list[i] = SlackLinkFormatter(setting.AppURL+user.UserName, user.UserName)
 		}
 		text = fmt.Sprintf("[%s] Pull request assigned to %s: %s by %s", p.Repository.FullName,
-			SlackLinkFormatter(setting.AppURL+list, list),
+			strings.Join(list, ", "),
 			titleLink, senderLink)
 	case api.HookIssueUnassigned:
 		text = fmt.Sprintf("[%s] Pull request unassigned: %s by %s", p.Repository.FullName, titleLink, senderLink)
@@ -312,6 +316,10 @@ func getSlackPullRequestPayload(p *api.PullRequestPayload, slack *SlackMeta) (*S
 		text = fmt.Sprintf("[%s] Pull request labels cleared: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueSynchronized:
 		text = fmt.Sprintf("[%s] Pull request synchronized: %s by %s", p.Repository.FullName, titleLink, senderLink)
+	case api.HookIssueMilestoned:
+		text = fmt.Sprintf("[%s] Pull request milestoned: #%s %s", p.Repository.FullName, titleLink, senderLink)
+	case api.HookIssueDemilestoned:
+		text = fmt.Sprintf("[%s] Pull request milestone cleared: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	}
 
 	return &SlackPayload{

modules/auth/auth.go

@@ -135,15 +135,56 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 	if len(baHead) > 0 {
 		auths := strings.Fields(baHead)
 		if len(auths) == 2 && auths[0] == "Basic" {
+			var u *models.User
+
 			uname, passwd, _ := base.BasicAuthDecode(auths[1])
 
-			u, err := models.UserSignIn(uname, passwd)
-			if err != nil {
-				if !models.IsErrUserNotExist(err) {
-					log.Error(4, "UserSignIn: %v", err)
-				}
-				return nil, false
+			// Check if username or password is a token
+			isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
+			// Assume username is token
+			authToken := uname
+			if !isUsernameToken {
+				// Assume password is token
+				authToken = passwd
 			}
+			token, err := models.GetAccessTokenBySHA(authToken)
+			if err == nil {
+				if isUsernameToken {
+					u, err = models.GetUserByID(token.UID)
+					if err != nil {
+						log.Error(4, "GetUserByID:  %v", err)
+						return nil, false
+					}
+				} else {
+					u, err = models.GetUserByName(uname)
+					if err != nil {
+						log.Error(4, "GetUserByID:  %v", err)
+						return nil, false
+					}
+					if u.ID != token.UID {
+						return nil, false
+					}
+				}
+				token.UpdatedUnix = util.TimeStampNow()
+				if err = models.UpdateAccessToken(token); err != nil {
+					log.Error(4, "UpdateAccessToken:  %v", err)
+				}
+			} else {
+				if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+					log.Error(4, "GetAccessTokenBySha: %v", err)
+				}
+			}
+
+			if u == nil {
+				u, err = models.UserSignIn(uname, passwd)
+				if err != nil {
+					if !models.IsErrUserNotExist(err) {
+						log.Error(4, "UserSignIn: %v", err)
+					}
+					return nil, false
+				}
+			}
+
 			ctx.Data["IsApiToken"] = true
 			return u, true
 		}

modules/auth/ldap/ldap.go

@@ -11,9 +11,9 @@ import (
 	"fmt"
 	"strings"
 
-	"gopkg.in/ldap.v2"
-
 	"code.gitea.io/gitea/modules/log"
+
+	ldap "gopkg.in/ldap.v3"
 )
 
 // SecurityProtocol protocol type
@@ -247,11 +247,17 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		return nil
 	}
 
+	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
+
+	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
+	if isAttributeSSHPublicKeySet {
+		attribs = append(attribs, ls.AttributeSSHPublicKey)
+	}
+
 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, userDN)
 	search := ldap.NewSearchRequest(
 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
-		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey},
-		nil)
+		attribs, nil)
 
 	sr, err := l.Search(search)
 	if err != nil {
@@ -267,11 +273,15 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		return nil
 	}
 
+	var sshPublicKey []string
+
 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)
 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
-	sshPublicKey := sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)
+	if isAttributeSSHPublicKeySet {
+		sshPublicKey = sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)
+	}
 	isAdmin := checkAdmin(l, ls, userDN)
 
 	if !directBind && ls.AttributesInBind {
@@ -320,11 +330,17 @@ func (ls *Source) SearchEntries() []*SearchResult {
 
 	userFilter := fmt.Sprintf(ls.Filter, "*")
 
+	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
+
+	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
+	if isAttributeSSHPublicKeySet {
+		attribs = append(attribs, ls.AttributeSSHPublicKey)
+	}
+
 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase)
 	search := ldap.NewSearchRequest(
 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
-		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey},
-		nil)
+		attribs, nil)
 
 	var sr *ldap.SearchResult
 	if ls.UsePagedSearch() {
@@ -341,12 +357,14 @@ func (ls *Source) SearchEntries() []*SearchResult {
 
 	for i, v := range sr.Entries {
 		result[i] = &SearchResult{
-			Username:     v.GetAttributeValue(ls.AttributeUsername),
-			Name:         v.GetAttributeValue(ls.AttributeName),
-			Surname:      v.GetAttributeValue(ls.AttributeSurname),
-			Mail:         v.GetAttributeValue(ls.AttributeMail),
-			SSHPublicKey: v.GetAttributeValues(ls.AttributeSSHPublicKey),
-			IsAdmin:      checkAdmin(l, ls, v.DN),
+			Username: v.GetAttributeValue(ls.AttributeUsername),
+			Name:     v.GetAttributeValue(ls.AttributeName),
+			Surname:  v.GetAttributeValue(ls.AttributeSurname),
+			Mail:     v.GetAttributeValue(ls.AttributeMail),
+			IsAdmin:  checkAdmin(l, ls, v.DN),
+		}
+		if isAttributeSSHPublicKeySet {
+			result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey)
 		}
 	}
 

modules/context/auth.go

@@ -8,6 +8,7 @@ import (
 	"net/url"
 
 	"code.gitea.io/gitea/modules/auth"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/go-macaron/csrf"
 	macaron "gopkg.in/macaron.v1"
@@ -32,28 +33,28 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 
 		// Check prohibit login users.
 		if ctx.IsSigned {
-
-			if ctx.User.ProhibitLogin {
+			if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
+				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+				ctx.HTML(200, "user/auth/activate")
+				return
+			} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
+				log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 				ctx.HTML(200, "user/auth/prohibit_login")
 				return
 			}
 
-			// prevent infinite redirection
-			// also make sure that the form cannot be accessed by
-			// users who don't need this
-			if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
-				if !ctx.User.MustChangePassword {
-					ctx.Redirect(setting.AppSubURL + "/")
-				}
-				return
-			}
-
 			if ctx.User.MustChangePassword {
-				ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
-				ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
-				ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
-				ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
+				if ctx.Req.URL.Path != "/user/settings/change_password" {
+					ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+					ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+					ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
+					ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
+					return
+				}
+			} else if ctx.Req.URL.Path == "/user/settings/change_password" {
+				// make sure that the form cannot be accessed by users who don't need this
+				ctx.Redirect(setting.AppSubURL + "/")
 				return
 			}
 		}

modules/context/context.go

@@ -209,7 +209,7 @@ func Contexter() macaron.Handler {
 			if err == nil && len(repo.DefaultBranch) > 0 {
 				branchName = repo.DefaultBranch
 			}
-			prefix := setting.AppURL + path.Join(ownerName, repoName, "src", "branch", branchName)
+			prefix := setting.AppURL + path.Join(url.QueryEscape(ownerName), url.QueryEscape(repoName), "src", "branch", branchName)
 			c.Header().Set("Content-Type", "text/html")
 			c.WriteHeader(http.StatusOK)
 			c.Write([]byte(com.Expand(`<!doctype html>

modules/context/repo.go

@@ -8,6 +8,7 @@ package context
 import (
 	"fmt"
 	"io/ioutil"
+	"net/url"
 	"path"
 	"strings"
 
@@ -162,7 +163,7 @@ func RetrieveBaseRepo(ctx *Context, repo *models.Repository) {
 
 // ComposeGoGetImport returns go-get-import meta content.
 func ComposeGoGetImport(owner, repo string) string {
-	return path.Join(setting.Domain, setting.AppSubURL, owner, repo)
+	return path.Join(setting.Domain, setting.AppSubURL, url.QueryEscape(owner), url.QueryEscape(repo))
 }
 
 // EarlyResponseForGoGetMeta responses appropriate go-get meta with status 200

modules/lfs/server.go

@@ -497,12 +497,15 @@ func authenticate(ctx *context.Context, repository *models.Repository, authoriza
 		accessMode = models.AccessModeWrite
 	}
 
+	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
 	perm, err := models.GetUserRepoPermission(repository, ctx.User)
 	if err != nil {
 		return false
 	}
-	if ctx.IsSigned {
-		return perm.CanAccess(accessMode, models.UnitTypeCode)
+
+	canRead := perm.CanAccess(accessMode, models.UnitTypeCode)
+	if canRead {
+		return true
 	}
 
 	user, repo, opStr, err := parseToken(authorization)
@@ -582,7 +585,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
 		if err != nil {
 			return nil, nil, "basic", err
 		}
-		if !u.ValidatePassword(password) {
+		if !u.IsPasswordSet() || !u.ValidatePassword(password) {
 			return nil, nil, "basic", fmt.Errorf("Basic auth failed")
 		}
 		return u, nil, "basic", nil

modules/markup/html.go

@@ -234,6 +234,23 @@ func RenderCommitMessage(
 	return ctx.postProcess(rawHTML)
 }
 
+// RenderDescriptionHTML will use similar logic as PostProcess, but will
+// use a single special linkProcessor.
+func RenderDescriptionHTML(
+	rawHTML []byte,
+	urlPrefix string,
+	metas map[string]string,
+) ([]byte, error) {
+	ctx := &postProcessCtx{
+		metas:     metas,
+		urlPrefix: urlPrefix,
+		procs: []processor{
+			descriptionLinkProcessor,
+		},
+	}
+	return ctx.postProcess(rawHTML)
+}
+
 var byteBodyTag = []byte("<body>")
 var byteBodyTagClosing = []byte("</body>")
 
@@ -668,3 +685,34 @@ func genDefaultLinkProcessor(defaultLink string) processor {
 		node.FirstChild, node.LastChild = ch, ch
 	}
 }
+
+// descriptionLinkProcessor creates links for DescriptionHTML
+func descriptionLinkProcessor(ctx *postProcessCtx, node *html.Node) {
+	m := linkRegex.FindStringIndex(node.Data)
+	if m == nil {
+		return
+	}
+	uri := node.Data[m[0]:m[1]]
+	replaceContent(node, m[0], m[1], createDescriptionLink(uri, uri))
+}
+
+func createDescriptionLink(href, content string) *html.Node {
+	textNode := &html.Node{
+		Type: html.TextNode,
+		Data: content,
+	}
+	linkNode := &html.Node{
+		FirstChild: textNode,
+		LastChild:  textNode,
+		Type:       html.ElementNode,
+		Data:       "a",
+		DataAtom:   atom.A,
+		Attr: []html.Attribute{
+			{Key: "href", Val: href},
+			{Key: "target", Val: "_blank"},
+			{Key: "rel", Val: "noopener noreferrer"},
+		},
+	}
+	textNode.Parent = linkNode
+	return linkNode
+}

modules/markup/orgmode/orgmode.go

@@ -5,6 +5,7 @@
 package markup
 
 import (
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/markdown"
 
@@ -31,7 +32,13 @@ func (Parser) Extensions() []string {
 }
 
 // Render renders orgmode rawbytes to HTML
-func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki bool) []byte {
+func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki bool) (result []byte) {
+	defer func() {
+		if err := recover(); err != nil {
+			log.Error(4, "Panic in orgmode.Render: %v Just returning the rawBytes", err)
+			result = rawBytes
+		}
+	}()
 	htmlFlags := blackfriday.HTML_USE_XHTML
 	htmlFlags |= blackfriday.HTML_SKIP_STYLE
 	htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
@@ -40,9 +47,8 @@ func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki b
 		URLPrefix: urlPrefix,
 		IsWiki:    isWiki,
 	}
-
-	result := goorgeous.Org(rawBytes, renderer)
-	return result
+	result = goorgeous.Org(rawBytes, renderer)
+	return
 }
 
 // RenderString reners orgmode string to HTML string

modules/private/internal.go

@@ -39,6 +39,7 @@ func decodeJSONError(resp *http.Response) *Response {
 func newInternalRequest(url, method string) *httplib.Request {
 	req := newRequest(url, method).SetTLSClientConfig(&tls.Config{
 		InsecureSkipVerify: true,
+		ServerName:         setting.Domain,
 	})
 	if setting.Protocol == setting.UnixSocket {
 		req.SetTransport(&http.Transport{

modules/private/key.go

@@ -32,6 +32,31 @@ func UpdateDeployKeyUpdated(keyID int64, repoID int64) error {
 	return nil
 }
 
+// GetDeployKey check if repo has deploy key
+func GetDeployKey(keyID, repoID int64) (*models.DeployKey, error) {
+	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/repositories/%d/keys/%d", repoID, keyID)
+	log.GitLogger.Trace("GetDeployKey: %s", reqURL)
+
+	resp, err := newInternalRequest(reqURL, "GET").Response()
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	switch resp.StatusCode {
+	case 404:
+		return nil, nil
+	case 200:
+		var dKey models.DeployKey
+		if err := json.NewDecoder(resp.Body).Decode(&dKey); err != nil {
+			return nil, err
+		}
+		return &dKey, nil
+	default:
+		return nil, fmt.Errorf("Failed to get deploy key: %s", decodeJSONError(resp).Err)
+	}
+}
+
 // HasDeployKey check if repo has deploy key
 func HasDeployKey(keyID, repoID int64) (bool, error) {
 	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/repositories/%d/has-keys/%d", repoID, keyID)

modules/public/public.go

@@ -117,7 +117,7 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
 	if fi.IsDir() {
 		// Redirect if missing trailing slash.
 		if !strings.HasSuffix(ctx.Req.URL.Path, "/") {
-			http.Redirect(ctx.Resp, ctx.Req.Request, ctx.Req.URL.Path+"/", http.StatusFound)
+			http.Redirect(ctx.Resp, ctx.Req.Request, path.Clean(ctx.Req.URL.Path+"/"), http.StatusFound)
 			return true
 		}
 

modules/util/util.go

@@ -98,3 +98,8 @@ func Min(a, b int) int {
 	}
 	return a
 }
+
+// IsEmptyString checks if the provided string is empty
+func IsEmptyString(s string) bool {
+	return len(strings.TrimSpace(s)) == 0
+}

modules/util/util_test.go

@@ -77,3 +77,20 @@ func TestIsExternalURL(t *testing.T) {
 		assert.Equal(t, test.Expected, IsExternalURL(test.RawURL))
 	}
 }
+
+func TestIsEmptyString(t *testing.T) {
+
+	cases := []struct {
+		s        string
+		expected bool
+	}{
+		{"", true},
+		{" ", true},
+		{"   ", true},
+		{"  a", false},
+	}
+
+	for _, v := range cases {
+		assert.Equal(t, v.expected, IsEmptyString(v.s))
+	}
+}

options/locale/locale_en-US.ini

@@ -413,7 +413,7 @@ ssh_helper = <strong>Need help?</strong> Have a look at GitHub's guide to <a hre
 gpg_helper = <strong>Need help?</strong> Have a look at GitHub's guide <a href="%s">about GPG</a>.
 add_new_key = Add SSH Key
 add_new_gpg_key = Add GPG Key
-ssh_key_been_used = This SSH key is already added to your account.
+ssh_key_been_used = This SSH key has already been added to the server.
 ssh_key_name_used = An SSH key with same name is already added to your account.
 gpg_key_id_used = A public GPG key with same ID already exists.
 gpg_no_key_email_found = This GPG key is not usable with any email address associated with your account.
@@ -528,7 +528,9 @@ mirror_prune_desc = Remove obsolete remote-tracking references
 mirror_interval = Mirror Interval (valid time units are 'h', 'm', 's'). 0 to disable automatic sync.
 mirror_interval_invalid = The mirror interval is not valid.
 mirror_address = Clone From URL
-mirror_address_desc = Include any required authorization credentials in the URL.
+mirror_address_desc = Include any required authorization credentials in the URL. These must be url escaped as appropriate
+mirror_address_url_invalid = The provided url is invalid. You must escape all components of the url correctly.
+mirror_address_protocol_invalid = The provided url is invalid. Only http(s):// or git:// locations can be mirrored from.
 mirror_last_synced = Last Synchronized
 watchers = Watchers
 stargazers = Stargazers
@@ -655,6 +657,7 @@ ext_issues.desc = Link to an external issue tracker.
 
 issues.desc = Organize bug reports, tasks and milestones.
 issues.new = New Issue
+issues.new.title_empty = Title cannot be empty
 issues.new.labels = Labels
 issues.new.no_label = No Label
 issues.new.clear_labels = Clear labels

options/locale/locale_lv-LV.ini

@@ -859,6 +859,7 @@ pulls.title_wip_desc=`<a href="#">Sāciet virsrakstu ar <strong>%s</strong></a>,
 pulls.cannot_merge_work_in_progress=Šis izmaiņu pieprasījums ir atzīmēts, ka pie tā vēl notiek izstrāde. Noņemiet <strong>%s</strong> no virsraksta sākuma, kad tas ir pabeigts.
 pulls.data_broken=Izmaiņu pieprasījums ir bojāts, jo dzēsta informācija no atdalītā repozitorija.
 pulls.is_checking=Notiek konfliktu pārbaude, mirkli uzgaidiet un atjaunojiet lapu.
+pulls.blocked_by_approvals=Šim izmaiņu pieprasījumam nav nepieciešamais apstiprinājumu daudzums. %d no %d apstiprinājumi piešķirti.
 pulls.can_auto_merge_desc=Šo izmaiņu pieprasījumu var automātiski sapludināt.
 pulls.cannot_auto_merge_desc=Šis izmaiņu pieprasījums nevar tikt automātiski sapludināts konfliktu dēļ.
 pulls.cannot_auto_merge_helper=Sapludiniet manuāli, lai atrisinātu konfliktus.
@@ -867,6 +868,7 @@ pulls.no_merge_helper=Lai sapludinātu šo izmaiņu pieprasījumu, iespējojiet
 pulls.no_merge_wip=Šo izmaiņu pieprasījumu nav iespējams sapludināt, jo tas ir atzīmēts, ka darbs pie tā vēl nav pabeigts.
 pulls.merge_pull_request=Izmaiņu pieprasījuma sapludināšana
 pulls.rebase_merge_pull_request=Pārbāzēt un sapludināt
+pulls.rebase_merge_commit_pull_request=Pārbāzēt un sapludināt (--no-ff)
 pulls.squash_merge_pull_request=Saspiest un sapludināt
 pulls.invalid_merge_option=Nav iespējams izmantot šādu sapludināšanas veidu šim izmaiņu pieprasījumam.
 pulls.open_unmerged_pull_exists=`Jūs nevarat veikt atkārtotas atvēršanas darbību, jo jau eksistē izmaiņu pieprasījums (#%d) ar šādu sapludināšanas informāciju.`
@@ -1012,6 +1014,7 @@ settings.pulls_desc=Iespējot repozitorija izmaiņu pieprasījumus
 settings.pulls.ignore_whitespace=Pārbaudot konfliktus, ignorēt izmaiņas atstarpēs
 settings.pulls.allow_merge_commits=Iespējot revīziju sapludināšanu
 settings.pulls.allow_rebase_merge=Iespējot pārbāzēšanu sapludinot revīzijas
+settings.pulls.allow_rebase_merge_commit=Iespējot pārbāzēšanu sapludinot revīzijas (--no-ff)
 settings.pulls.allow_squash_commits=Iespējot saspiešanu sapludinot revīzijas
 settings.admin_settings=Administratora iestatījumi
 settings.admin_enable_health_check=Iespējot veselības pārbaudi (git fsck) šim repozitorijam
@@ -1098,6 +1101,7 @@ settings.event_issue_comment_desc=Problēmas komentārs pievienots, labots vai d
 settings.event_release=Laidiens
 settings.event_release_desc=Publicēts, atjaunots vai dzēsts laidiens repozitorijā.
 settings.event_pull_request=Izmaiņu pieprasījums
+settings.event_pull_request_desc=Izmaiņu pieprasījums izveidots, slēgts, atkārtoti atvērts, labots, apstiprināts, noraidīts, recenzēts, piešķirts, pievienots vai noņemts atbildīgais, pievienota etiķete, noņemta etiķete, pievienots vai noņemts atskaites punkts.
 settings.event_push=Izmaiņu nosūtīšana
 settings.event_push_desc=Git izmaiņu nosūtīšana uz repozitoriju.
 settings.event_repository=Repozitorijs
@@ -1148,6 +1152,10 @@ settings.protect_merge_whitelist_committers=Iespējot sapludināšanas ierobežo
 settings.protect_merge_whitelist_committers_desc=Atļaut tikai noteiktiem lietotājiem vai komandām sapludināt izmaiņu pieprasījumus šajā atzarā.
 settings.protect_merge_whitelist_users=Lietotāji, kas var veikt izmaiņu sapludināšanu:
 settings.protect_merge_whitelist_teams=Komandas, kas var veikt izmaiņu sapludināšanu:
+settings.protect_required_approvals=Vajadzīgi apstiprinājumi:
+settings.protect_required_approvals_desc=Atļaut tikai noteiktiem lietotājiem vai komandām sapludināt izmaiņu pieprasījumu, kam veikts noteikts daudzums pozitīvu recenziju.
+settings.protect_approvals_whitelist_users=Lietotāji, kas var veikt recenzijas:
+settings.protect_approvals_whitelist_teams=Komandas, kas var veikt recenzijas:
 settings.add_protected_branch=Iespējot aizsargāšanu
 settings.delete_protected_branch=Atspējot aizsargāšanu
 settings.update_protect_branch_success=Atzara aizsardzība atzaram '%s' tika saglabāta.
@@ -1158,6 +1166,7 @@ settings.default_branch_desc=Norādiet noklusēto repozitorija atzaru izmaiņu p
 settings.choose_branch=Izvēlieties atzaru…
 settings.no_protected_branch=Nav neviena aizsargātā atzara.
 settings.edit_protected_branch=Labot
+settings.protected_branch_required_approvals_min=Pieprasīto recenziju skaits nevar būt negatīvs.
 
 diff.browse_source=Pārlūkot izejas kodu
 diff.parent=vecāks

public/js/index.js

@@ -7,6 +7,115 @@ function htmlEncode(text) {
 var csrf;
 var suburl;
 
+// Polyfill for IE9+ support (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/from)
+if (!Array.from) {
+    Array.from = (function () {
+        var toStr = Object.prototype.toString;
+        var isCallable = function (fn) {
+            return typeof fn === 'function' || toStr.call(fn) === '[object Function]';
+        };
+        var toInteger = function (value) {
+            var number = Number(value);
+            if (isNaN(number)) { return 0; }
+            if (number === 0 || !isFinite(number)) { return number; }
+            return (number > 0 ? 1 : -1) * Math.floor(Math.abs(number));
+        };
+        var maxSafeInteger = Math.pow(2, 53) - 1;
+        var toLength = function (value) {
+            var len = toInteger(value);
+            return Math.min(Math.max(len, 0), maxSafeInteger);
+        };
+
+        // The length property of the from method is 1.
+        return function from(arrayLike/*, mapFn, thisArg */) {
+            // 1. Let C be the this value.
+            var C = this;
+
+            // 2. Let items be ToObject(arrayLike).
+            var items = Object(arrayLike);
+
+            // 3. ReturnIfAbrupt(items).
+            if (arrayLike == null) {
+                throw new TypeError("Array.from requires an array-like object - not null or undefined");
+            }
+
+            // 4. If mapfn is undefined, then let mapping be false.
+            var mapFn = arguments.length > 1 ? arguments[1] : void undefined;
+            var T;
+            if (typeof mapFn !== 'undefined') {
+                // 5. else
+                // 5. a If IsCallable(mapfn) is false, throw a TypeError exception.
+                if (!isCallable(mapFn)) {
+                    throw new TypeError('Array.from: when provided, the second argument must be a function');
+                }
+
+                // 5. b. If thisArg was supplied, let T be thisArg; else let T be undefined.
+                if (arguments.length > 2) {
+                    T = arguments[2];
+                }
+            }
+
+            // 10. Let lenValue be Get(items, "length").
+            // 11. Let len be ToLength(lenValue).
+            var len = toLength(items.length);
+
+            // 13. If IsConstructor(C) is true, then
+            // 13. a. Let A be the result of calling the [[Construct]] internal method of C with an argument list containing the single item len.
+            // 14. a. Else, Let A be ArrayCreate(len).
+            var A = isCallable(C) ? Object(new C(len)) : new Array(len);
+
+            // 16. Let k be 0.
+            var k = 0;
+            // 17. Repeat, while k < len… (also steps a - h)
+            var kValue;
+            while (k < len) {
+                kValue = items[k];
+                if (mapFn) {
+                    A[k] = typeof T === 'undefined' ? mapFn(kValue, k) : mapFn.call(T, kValue, k);
+                } else {
+                    A[k] = kValue;
+                }
+                k += 1;
+            }
+            // 18. Let putStatus be Put(A, "length", len, true).
+            A.length = len;
+            // 20. Return A.
+            return A;
+        };
+    }());
+}
+
+// https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
+if (typeof Object.assign != 'function') {
+    // Must be writable: true, enumerable: false, configurable: true
+    Object.defineProperty(Object, "assign", {
+        value: function assign(target, varArgs) { // .length of function is 2
+            'use strict';
+            if (target == null) { // TypeError if undefined or null
+                throw new TypeError('Cannot convert undefined or null to object');
+            }
+
+            var to = Object(target);
+
+            for (var index = 1; index < arguments.length; index++) {
+                var nextSource = arguments[index];
+
+                if (nextSource != null) { // Skip over if undefined or null
+                    for (var nextKey in nextSource) {
+                        // Avoid bugs when hasOwnProperty is shadowed
+                        if (Object.prototype.hasOwnProperty.call(nextSource, nextKey)) {
+                            to[nextKey] = nextSource[nextKey];
+                        }
+                    }
+                }
+            }
+            return to;
+        },
+        writable: true,
+        configurable: true
+    });
+}
+
 function initCommentPreviewTab($form) {
     var $tabMenu = $form.find('.tabular.menu');
     $tabMenu.find('.item').tab();
@@ -2348,7 +2457,6 @@ function initHeatmap(appElementId, heatmapUser, locale) {
                 this.getColor(4),
                 this.getColor(5)
             ];
-            console.log(this.colorRange);
             this.endDate = new Date();
             this.loadHeatmap(this.user);
         },

public/less/_base.less

@@ -384,33 +384,12 @@ pre, code {
 
 }
 
-.overflow.menu {
-    .items {
-        max-height: 300px;
-        overflow-y: auto;
-        .item {
-            position: relative;
-            cursor: pointer;
-            display: block;
-            border: none;
-            height: auto;
-            border-top: none;
-            line-height: 1em;
-            color: rgba(0,0,0,.8);
-            padding: .71428571em 1.14285714em !important;
-            font-size: 1rem;
-            text-transform: none;
-            font-weight: 400;
-            box-shadow: none;
-            -webkit-touch-callout: none;
-            &.active {
-                font-weight: 700;
-            }
-            &:hover {
-                background: rgba(0,0,0,.05);
-                color: rgba(0,0,0,.8);
-                z-index: 13;
-            }
+.ui.floating.dropdown {
+    .overflow.menu {
+        .scrolling.menu.items {
+            border-radius: 0px !important;
+            box-shadow: none !important;
+            border-bottom: 1px solid rgba(34, 36, 38, 0.15);
         }
     }
 }

public/vendor/librejs.html

@@ -48,7 +48,7 @@
         <tr>
           <td><a href="./plugins/vue/vue.min.js">vue.min.js</a></td>
           <td><a href="https://github.com/vuejs/vue/blob/dev/LICENSE">Expat</a></td>
-          <td><a href="https://github.com/vuejs/vue/archive/v2.1.10.tar.gz">vue.js-v2.1.10.tar.gz</a></td>
+          <td><a href="https://github.com/vuejs/vue/archive/v2.6.6.tar.gz">vue.js-v2.6.6.tar.gz</a></td>
         </tr>
         <tr>
           <td><a href="./plugins/emojify/emojify.min.js">emojify.min.js</a></td>
@@ -136,7 +136,7 @@
           <td><a href="https://github.com/swagger-api/swagger-ui/archive/v3.0.4.tar.gz">swagger-ui-v3.0.4.tar.gz</a></td>
         </tr>
         <tr>
-          <td><a href="./plugins/vue-calendar-heatmap">vue-calendar-heatmap</a></td>
+          <td><a href="./plugins/vue-calendar-heatmap/">vue-calendar-heatmap</a></td>
           <td><a href="https://github.com/WildCodeSchool/vue-calendar-heatmap/blob/master/README.md">MIT</a></td>
           <td><a href="https://github.com/WildCodeSchool/vue-calendar-heatmap/archive/master.zip">7f48b20.zip</a></td>
         </tr>
@@ -145,6 +145,11 @@
           <td><a href="https://github.com/moment/moment/blob/develop/LICENSE">MIT</a></td>
           <td><a href="https://github.com/moment/moment/archive/2.22.2.tar.gz">0.4.1.tar.gz</a></td>
         </tr>
+        <tr>
+          <td><a href="./plugins/es6-promise/">es6-promise</a></td>
+          <td><a href="https://github.com/stefanpenner/es6-promise/blob/master/LICENSE">MIT</a></td>
+          <td><a href="https://github.com/stefanpenner/es6-promise/archive/v4.2.6.tar.gz">4.2.6.tar.gz</a></td>
+        </tr>
       </tbody>
     </table>
   </body>

routers/api/v1/api.go

@@ -85,7 +85,7 @@ func sudo() macaron.Handler {
 		}
 
 		if len(sudo) > 0 {
-			if ctx.User.IsAdmin {
+			if ctx.IsSigned && ctx.User.IsAdmin {
 				user, err := models.GetUserByName(sudo)
 				if err != nil {
 					if models.IsErrUserNotExist(err) {

routers/api/v1/repo/issue.go

@@ -129,7 +129,7 @@ func GetIssue(ctx *context.APIContext) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Issue"
-	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
+	issue, err := models.GetIssueWithAttrsByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrIssueNotExist(err) {
 			ctx.Status(404)

routers/api/v1/repo/issue_label.go

@@ -51,6 +51,11 @@ func ListIssueLabels(ctx *context.APIContext) {
 		return
 	}
 
+	if err := issue.LoadAttributes(); err != nil {
+		ctx.Error(500, "LoadAttributes", err)
+		return
+	}
+
 	apiLabels := make([]*api.Label, len(issue.Labels))
 	for i := range issue.Labels {
 		apiLabels[i] = issue.Labels[i].APIFormat()

routers/api/v1/repo/key.go

@@ -159,6 +159,8 @@ func HandleCheckKeyStringError(ctx *context.APIContext, err error) {
 // HandleAddKeyError handle add key error
 func HandleAddKeyError(ctx *context.APIContext, err error) {
 	switch {
+	case models.IsErrDeployKeyAlreadyExist(err):
+		ctx.Error(422, "", "This key has already been added to this repository")
 	case models.IsErrKeyAlreadyExist(err):
 		ctx.Error(422, "", "Key content has been used as non-deploy key")
 	case models.IsErrKeyNameAlreadyUsed(err):

routers/api/v1/repo/pull.go

@@ -668,8 +668,8 @@ func parseCompareInfo(ctx *context.APIContext, form api.CreatePullRequestOption)
 		ctx.ServerError("GetUserRepoPermission", err)
 		return nil, nil, nil, nil, "", ""
 	}
-	if !perm.CanWrite(models.UnitTypeCode) {
-		log.Trace("ParseCompareInfo[%d]: does not have write access or site admin", baseRepo.ID)
+	if !perm.CanReadIssuesOrPulls(true) {
+		log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID)
 		ctx.Status(404)
 		return nil, nil, nil, nil, "", ""
 	}

routers/api/v1/repo/repo.go

@@ -400,6 +400,11 @@ func Migrate(ctx *context.APIContext, form auth.MigrateRepoForm) {
 		RemoteAddr:  remoteAddr,
 	})
 	if err != nil {
+		if models.IsErrRepoAlreadyExist(err) {
+			ctx.Error(409, "", "The repository with the same name already exists.")
+			return
+		}
+
 		err = util.URLSanitizedError(err, remoteAddr)
 		if repo != nil {
 			if errDelete := models.DeleteRepository(ctx.User, ctxUser.ID, repo.ID); errDelete != nil {

routers/api/v1/repo/tree.go

@@ -16,6 +16,30 @@ import (
 
 // GetTree get the tree of a repository.
 func GetTree(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/git/trees/{sha} repository GetTree
+	// ---
+	// summary: Gets the tree of a repository.
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: sha
+	//   in: path
+	//   description: sha of the commit
+	//   type: string
+	//   required: true
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/GitTreeResponse"
 	sha := ctx.Params("sha")
 	if len(sha) == 0 {
 		ctx.Error(400, "sha not provided", nil)

routers/api/v1/swagger/repo.go

@@ -133,3 +133,10 @@ type swaggerResponseAttachment struct {
 	//in: body
 	Body api.Attachment `json:"body"`
 }
+
+// GitTreeResponse
+// swagger:response GitTreeResponse
+type swaggerGitTreeResponse struct {
+	//in: body
+	Body api.GitTreeResponse `json:"body"`
+}

routers/home.go

@@ -6,11 +6,13 @@ package routers
 
 import (
 	"bytes"
+	"net/url"
 	"strings"
 
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
+	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/search"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
@@ -38,6 +40,15 @@ func Home(ctx *context.Context) {
 		if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
 			ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
 			ctx.HTML(200, user.TplActivate)
+		} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
+			log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
+			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+			ctx.HTML(200, "user/auth/prohibit_login")
+		} else if ctx.User.MustChangePassword {
+			ctx.Data["Title"] = ctx.Tr("auth.must_change_password")
+			ctx.Data["ChangePasscodeLink"] = setting.AppSubURL + "/user/change_password"
+			ctx.SetCookie("redirect_to", url.QueryEscape(setting.AppSubURL+ctx.Req.RequestURI), 0, setting.AppSubURL)
+			ctx.Redirect(setting.AppSubURL + "/user/settings/change_password")
 		} else {
 			user.Dashboard(ctx)
 		}

routers/metrics.go

@@ -17,7 +17,7 @@ func Metrics(ctx *context.Context) {
 		promhttp.Handler().ServeHTTP(ctx.Resp, ctx.Req.Request)
 		return
 	}
-	header := ctx.Header().Get("Authorization")
+	header := ctx.Req.Header.Get("Authorization")
 	if header == "" {
 		ctx.Error(401)
 		return

routers/org/teams.go

@@ -288,8 +288,6 @@ func EditTeamPost(ctx *context.Context, form auth.CreateTeamForm) {
 			})
 		}
 		models.UpdateTeamUnits(t, units)
-	} else {
-		models.UpdateTeamUnits(t, nil)
 	}
 
 	if ctx.HasError() {

routers/private/internal.go

@@ -82,6 +82,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Post("/repositories/:repoid/keys/:keyid/update", UpdateDeployKey)
 		m.Get("/repositories/:repoid/user/:userid/checkunituser", CheckUnitUser)
 		m.Get("/repositories/:repoid/has-keys/:keyid", HasDeployKey)
+		m.Get("/repositories/:repoid/keys/:keyid", GetDeployKey)
 		m.Get("/repositories/:repoid/wiki/init", InitWiki)
 		m.Post("/push/update", PushUpdate)
 		m.Get("/protectedbranch/:pbid/:userid", CanUserPush)

routers/private/key.go

@@ -72,6 +72,24 @@ func GetUserByKeyID(ctx *macaron.Context) {
 	ctx.JSON(200, user)
 }
 
+//GetDeployKey chainload to models.GetDeployKey
+func GetDeployKey(ctx *macaron.Context) {
+	repoID := ctx.ParamsInt64(":repoid")
+	keyID := ctx.ParamsInt64(":keyid")
+	dKey, err := models.GetDeployKeyByRepo(keyID, repoID)
+	if err != nil {
+		if models.IsErrDeployKeyNotExist(err) {
+			ctx.JSON(404, []byte("not found"))
+			return
+		}
+		ctx.JSON(500, map[string]interface{}{
+			"err": err.Error(),
+		})
+		return
+	}
+	ctx.JSON(200, dKey)
+}
+
 //HasDeployKey chainload to models.HasDeployKey
 func HasDeployKey(ctx *macaron.Context) {
 	repoID := ctx.ParamsInt64(":repoid")

routers/repo/commit.go

@@ -201,7 +201,7 @@ func Diff(ctx *context.Context) {
 		commitID = commit.ID.String()
 	}
 
-	statuses, err := models.GetLatestCommitStatus(ctx.Repo.Repository, ctx.Repo.Commit.ID.String(), 0)
+	statuses, err := models.GetLatestCommitStatus(ctx.Repo.Repository, commitID, 0)
 	if err != nil {
 		log.Error(3, "GetLatestCommitStatus: %v", err)
 	}

routers/repo/editor.go

@@ -163,7 +163,11 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
+	form.TreePath = cleanUploadFileName(form.TreePath)
+	if len(form.TreePath) == 0 {
+		ctx.Error(500, "Upload file name is invalid")
+		return
+	}
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 
 	ctx.Data["TreePath"] = form.TreePath
@@ -373,6 +377,13 @@ func DeleteFile(ctx *context.Context) {
 func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) {
 	ctx.Data["PageIsDelete"] = true
 	ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
+
+	ctx.Repo.TreePath = cleanUploadFileName(ctx.Repo.TreePath)
+	if len(ctx.Repo.TreePath) == 0 {
+		ctx.Error(500, "Delete file name is invalid")
+		return
+	}
+
 	ctx.Data["TreePath"] = ctx.Repo.TreePath
 	canCommit := renderCommitRights(ctx)
 
@@ -477,7 +488,12 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
+	form.TreePath = cleanUploadFileName(form.TreePath)
+	if len(form.TreePath) == 0 {
+		ctx.Error(500, "Upload file name is invalid")
+		return
+	}
+
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 	if len(treeNames) == 0 {
 		// We must at least have one element for user to input.

routers/repo/http.go

@@ -113,24 +113,24 @@ func HTTP(ctx *context.Context) {
 				return
 			}
 
-			authUser, err = models.UserSignIn(authUsername, authPasswd)
-			if err != nil {
-				if !models.IsErrUserNotExist(err) {
-					ctx.ServerError("UserSignIn error: %v", err)
-					return
-				}
+			// Check if username or password is a token
+			isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
+			// Assume username is token
+			authToken := authUsername
+			if !isUsernameToken {
+				// Assume password is token
+				authToken = authPasswd
 			}
-
-			if authUser == nil {
-				isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
-
-				// Assume username is token
-				authToken := authUsername
-
-				if !isUsernameToken {
-					// Assume password is token
-					authToken = authPasswd
-
+			// Assume password is a token.
+			token, err := models.GetAccessTokenBySHA(authToken)
+			if err == nil {
+				if isUsernameToken {
+					authUser, err = models.GetUserByID(token.UID)
+					if err != nil {
+						ctx.ServerError("GetUserByID", err)
+						return
+					}
+				} else {
 					authUser, err = models.GetUserByName(authUsername)
 					if err != nil {
 						if models.IsErrUserNotExist(err) {
@@ -140,37 +140,37 @@ func HTTP(ctx *context.Context) {
 						}
 						return
 					}
-				}
-
-				// Assume password is a token.
-				token, err := models.GetAccessTokenBySHA(authToken)
-				if err != nil {
-					if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
+					if authUser.ID != token.UID {
 						ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
-					} else {
-						ctx.ServerError("GetAccessTokenBySha", err)
-					}
-					return
-				}
-
-				if isUsernameToken {
-					authUser, err = models.GetUserByID(token.UID)
-					if err != nil {
-						ctx.ServerError("GetUserByID", err)
 						return
 					}
-				} else if authUser.ID != token.UID {
-					ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
-					return
 				}
-
 				token.UpdatedUnix = util.TimeStampNow()
 				if err = models.UpdateAccessToken(token); err != nil {
 					ctx.ServerError("UpdateAccessToken", err)
 				}
 			} else {
-				_, err = models.GetTwoFactorByUID(authUser.ID)
+				if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
+					log.Error(4, "GetAccessTokenBySha: %v", err)
+				}
+			}
 
+			if authUser == nil {
+				// Check username and password
+				authUser, err = models.UserSignIn(authUsername, authPasswd)
+				if err != nil {
+					if !models.IsErrUserNotExist(err) {
+						ctx.ServerError("UserSignIn error: %v", err)
+						return
+					}
+				}
+
+				if authUser == nil {
+					ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
+					return
+				}
+
+				_, err = models.GetTwoFactorByUID(authUser.ID)
 				if err == nil {
 					// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
 					ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")

routers/repo/issue.go

@@ -355,7 +355,7 @@ func setTemplateIfExists(ctx *context.Context, ctxDataKey string, possibleFiles
 	}
 }
 
-// NewIssue render createing issue page
+// NewIssue render creating issue page
 func NewIssue(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.issues.new")
 	ctx.Data["PageIsIssueList"] = true
@@ -494,6 +494,11 @@ func NewIssuePost(ctx *context.Context, form auth.CreateIssueForm) {
 		return
 	}
 
+	if util.IsEmptyString(form.Title) {
+		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplIssueNew, form)
+		return
+	}
+
 	issue := &models.Issue{
 		RepoID:      repo.ID,
 		Title:       form.Title,

routers/repo/pull.go

@@ -22,6 +22,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/notification"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 
 	"github.com/Unknwon/com"
 )
@@ -683,8 +684,8 @@ func ParseCompareInfo(ctx *context.Context) (*models.User, *models.Repository, *
 		ctx.ServerError("GetUserRepoPermission", err)
 		return nil, nil, nil, nil, "", ""
 	}
-	if !perm.CanWrite(models.UnitTypeCode) {
-		log.Trace("ParseCompareInfo[%d]: does not have write access or site admin", baseRepo.ID)
+	if !perm.CanReadIssuesOrPulls(true) {
+		log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID)
 		ctx.NotFound("ParseCompareInfo", nil)
 		return nil, nil, nil, nil, "", ""
 	}
@@ -860,6 +861,16 @@ func CompareAndPullRequestPost(ctx *context.Context, form auth.CreateIssueForm)
 		return
 	}
 
+	if util.IsEmptyString(form.Title) {
+		PrepareCompareDiff(ctx, headUser, headRepo, headGitRepo, prInfo, baseBranch, headBranch)
+		if ctx.Written() {
+			return
+		}
+
+		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplComparePull, form)
+		return
+	}
+
 	patch, err := headGitRepo.GetPatch(prInfo.MergeBase, headBranch)
 	if err != nil {
 		ctx.ServerError("GetPatch", err)

routers/repo/repo.go

@@ -256,6 +256,11 @@ func MigratePost(ctx *context.Context, form auth.MigrateRepoForm) {
 		return
 	}
 
+	if models.IsErrRepoAlreadyExist(err) {
+		ctx.RenderWithErr(ctx.Tr("form.repo_name_been_taken"), tplMigrate, &form)
+		return
+	}
+
 	// remoteAddr may contain credentials, so we sanitize it
 	err = util.URLSanitizedError(err, remoteAddr)
 

routers/repo/setting.go

@@ -6,6 +6,9 @@
 package repo
 
 import (
+	"errors"
+	"net/url"
+	"regexp"
 	"strings"
 	"time"
 
@@ -20,6 +23,8 @@ import (
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/validation"
 	"code.gitea.io/gitea/routers/utils"
+
+	"github.com/mvdan/xurls"
 )
 
 const (
@@ -32,10 +37,13 @@ const (
 	tplProtectedBranch base.TplName = "repo/settings/protected_branch"
 )
 
+var validFormAddress *regexp.Regexp
+
 // Settings show a repository's settings page
 func Settings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.settings")
 	ctx.Data["PageIsSettingsOptions"] = true
+	ctx.Data["ForcePrivate"] = setting.Repository.ForcePrivate
 	ctx.HTML(200, tplSettingsOptions)
 }
 
@@ -94,6 +102,12 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) {
 		}
 
 		visibilityChanged := repo.IsPrivate != form.Private
+		// when ForcePrivate enabled, you could change public repo to private, but could not change private to public
+		if visibilityChanged && setting.Repository.ForcePrivate && !form.Private {
+			ctx.ServerError("Force Private enabled", errors.New("cannot change private repository to public"))
+			return
+		}
+
 		repo.IsPrivate = form.Private
 		if err := models.UpdateRepository(repo, visibilityChanged); err != nil {
 			ctx.ServerError("UpdateRepository", err)
@@ -132,7 +146,38 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) {
 				return
 			}
 		}
-		if err := ctx.Repo.Mirror.SaveAddress(form.MirrorAddress); err != nil {
+
+		// Validate the form.MirrorAddress
+		u, err := url.Parse(form.MirrorAddress)
+		if err != nil {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		if u.Opaque != "" || !(u.Scheme == "http" || u.Scheme == "https" || u.Scheme == "git") {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_protocol_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		// Now use xurls
+		address := validFormAddress.FindString(form.MirrorAddress)
+		if address != form.MirrorAddress && form.MirrorAddress != "" {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		if u.EscapedPath() == "" || u.Host == "" || !u.IsAbs() {
+			ctx.Data["Err_MirrorAddress"] = true
+			ctx.RenderWithErr(ctx.Tr("repo.mirror_address_url_invalid"), tplSettingsOptions, &form)
+			return
+		}
+
+		address = u.String()
+
+		if err := ctx.Repo.Mirror.SaveAddress(address); err != nil {
 			ctx.ServerError("SaveAddress", err)
 			return
 		}
@@ -581,6 +626,9 @@ func DeployKeysPost(ctx *context.Context, form auth.AddKeyForm) {
 		case models.IsErrDeployKeyAlreadyExist(err):
 			ctx.Data["Err_Content"] = true
 			ctx.RenderWithErr(ctx.Tr("repo.settings.key_been_used"), tplDeployKeys, &form)
+		case models.IsErrKeyAlreadyExist(err):
+			ctx.Data["Err_Content"] = true
+			ctx.RenderWithErr(ctx.Tr("settings.ssh_key_been_used"), tplDeployKeys, &form)
 		case models.IsErrKeyNameAlreadyUsed(err):
 			ctx.Data["Err_Title"] = true
 			ctx.RenderWithErr(ctx.Tr("repo.settings.key_name_used"), tplDeployKeys, &form)
@@ -607,3 +655,11 @@ func DeleteDeployKey(ctx *context.Context) {
 		"redirect": ctx.Repo.RepoLink + "/settings/keys",
 	})
 }
+
+func init() {
+	var err error
+	validFormAddress, err = xurls.StrictMatchingScheme(`(https?)|(git)://`)
+	if err != nil {
+		panic(err)
+	}
+}

routers/repo/view.go

@@ -50,7 +50,7 @@ func renderDirectory(ctx *context.Context, treeLink string) {
 	}
 	entries.CustomSort(base.NaturalSortLess)
 
-	ctx.Data["Files"], err = entries.GetCommitsInfo(ctx.Repo.Commit, ctx.Repo.TreePath)
+	ctx.Data["Files"], err = entries.GetCommitsInfo(ctx.Repo.Commit, ctx.Repo.TreePath, nil)
 	if err != nil {
 		ctx.ServerError("GetCommitsInfo", err)
 		return

routers/repo/wiki.go

@@ -341,6 +341,11 @@ func NewWikiPost(ctx *context.Context, form auth.NewWikiForm) {
 		return
 	}
 
+	if util.IsEmptyString(form.Title) {
+		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplWikiNew, form)
+		return
+	}
+
 	wikiName := models.NormalizeWikiName(form.Title)
 	if err := ctx.Repo.Repository.AddWikiPage(ctx.User, wikiName, form.Content, form.Message); err != nil {
 		if models.IsErrWikiReservedName(err) {

routers/routes/routes.go

@@ -106,7 +106,7 @@ func NewMacaron() *macaron.Macaron {
 		Langs:       setting.Langs,
 		Names:       setting.Names,
 		DefaultLang: "en-US",
-		Redirect:    true,
+		Redirect:    false,
 	}))
 	m.Use(cache.Cacher(cache.Options{
 		Adapter:       setting.CacheService.Adapter,
@@ -296,7 +296,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 
 	m.Group("/user", func() {
 		// r.Get("/feeds", binding.Bind(auth.FeedsForm{}), user.Feeds)
-		m.Any("/activate", user.Activate)
+		m.Any("/activate", user.Activate, reqSignIn)
 		m.Any("/activate_email", user.ActivateEmail)
 		m.Get("/email2user", user.Email2User)
 		m.Get("/forgot_password", user.ForgotPasswd)
@@ -643,7 +643,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 			}
 			ctx.Data["CommitsCount"] = ctx.Repo.CommitsCount
 		})
-	}, context.RepoAssignment(), context.UnitTypes(), reqRepoReleaseReader)
+	}, ignSignIn, context.RepoAssignment(), context.UnitTypes(), reqRepoReleaseReader)
 
 	m.Group("/:username/:reponame", func() {
 		m.Post("/topics", repo.TopicsPost)

routers/user/auth.go

@@ -161,6 +161,19 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 		} else if models.IsErrEmailAlreadyUsed(err) {
 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
 			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
+		} else if models.IsErrUserProhibitLogin(err) {
+			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
+			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+			ctx.HTML(200, "user/auth/prohibit_login")
+		} else if models.IsErrUserInactive(err) {
+			if setting.Service.RegisterEmailConfirm {
+				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+				ctx.HTML(200, TplActivate)
+			} else {
+				log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
+				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
+				ctx.HTML(200, "user/auth/prohibit_login")
+			}
 		} else {
 			ctx.ServerError("UserSignIn", err)
 		}

routers/user/auth_openid.go

@@ -115,7 +115,8 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
 	redirectTo := setting.AppURL + "user/login/openid"
 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
 	if err != nil {
-		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
+		log.Error(1, "Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
+		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
 		return
 	}
 

routers/user/setting/security.go

@@ -34,10 +34,15 @@ func Security(ctx *context.Context) {
 
 // DeleteAccountLink delete a single account link
 func DeleteAccountLink(ctx *context.Context) {
-	if _, err := models.RemoveAccountLink(ctx.User, ctx.QueryInt64("loginSourceID")); err != nil {
-		ctx.Flash.Error("RemoveAccountLink: " + err.Error())
+	id := ctx.QueryInt64("id")
+	if id <= 0 {
+		ctx.Flash.Error("Account link id is not given")
 	} else {
-		ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
+		if _, err := models.RemoveAccountLink(ctx.User, id); err != nil {
+			ctx.Flash.Error("RemoveAccountLink: " + err.Error())
+		} else {
+			ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
+		}
 	}
 
 	ctx.JSON(200, map[string]interface{}{

templates/admin/dashboard.tmpl

@@ -100,7 +100,7 @@
 				<dt>{{.i18n.Tr "admin.dashboard.mspan_structures_usage"}}</dt>
 				<dd>{{.SysStatus.MSpanInuse}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mspan_structures_obtained"}}</dt>
-				<dd>{{.SysStatus.HeapSys}}</dd>
+				<dd>{{.SysStatus.MSpanSys}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mcache_structures_usage"}}</dt>
 				<dd>{{.SysStatus.MCacheInuse}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mcache_structures_obtained"}}</dt>

templates/base/footer.tmpl

@@ -112,6 +112,7 @@
 	<script src="{{AppSubUrl}}/vendor/plugins/semantic/semantic.min.js"></script>
 	<script src="{{AppSubUrl}}/js/index.js?v={{MD5 AppVer}}"></script>
 {{if .EnableHeatmap}}
+	<script src="{{AppSubUrl}}/vendor/plugins/es6-promise/es6-promise.auto.min.js" charset="utf-8"></script>
 	<script src="{{AppSubUrl}}/vendor/plugins/moment/moment.min.js" charset="utf-8"></script>
 	<script src="{{AppSubUrl}}/vendor/plugins/vue-calendar-heatmap/vue-calendar-heatmap.browser.js" charset="utf-8"></script>
 	<script type="text/javascript">

templates/base/head.tmpl

@@ -5,7 +5,7 @@
 	<meta name="viewport" content="width=device-width, initial-scale=1">
 	<meta http-equiv="x-ua-compatible" content="ie=edge">
 	<title>{{if .Title}}{{.Title}} - {{end}}{{AppName}}</title>
-	<link rel="manifest" href="{{AppSubUrl}}/manifest.json">
+	<link rel="manifest" href="{{AppSubUrl}}/manifest.json" crossorigin="use-credentials">
 	
 	<script>
 		if ('serviceWorker' in navigator) {

templates/repo/home.tmpl

@@ -54,8 +54,8 @@
 		<div class="ui stackable secondary menu mobile--margin-between-items mobile--no-negative-margins">
 			{{if and .PullRequestCtx.Allowed .IsViewBranch}}
 				<div class="fitted item">
-					<a href="{{.BaseRepo.Link}}/compare/{{.BaseRepo.DefaultBranch | EscapePound}}...{{.Repository.Owner.Name}}:{{.BranchName | EscapePound}}">
-						<button class="ui green tiny compact button"><i class="octicon octicon-git-compare"></i></button>
+					<a href="{{.BaseRepo.Link}}/compare/{{.BaseRepo.DefaultBranch | EscapePound}}...{{if ne .Repository.Owner.Name .BaseRepo.Owner.Name}}{{.Repository.Owner.Name}}:{{end}}{{.BranchName | EscapePound}}">
+					<button class="ui green tiny compact button"><i class="octicon octicon-git-compare"></i></button>
 					</a>
 				</div>
 			{{end}}

templates/repo/settings/options.tmpl

@@ -19,7 +19,7 @@
 					<div class="inline field">
 						<label>{{.i18n.Tr "repo.visibility"}}</label>
 						<div class="ui checkbox">
-							<input name="private" type="checkbox" {{if .Repository.IsPrivate}}checked{{end}}>
+							<input name="private" type="checkbox" {{if .Repository.IsPrivate}}checked{{end}}{{if and $.ForcePrivate .Repository.IsPrivate}} readonly{{end}}>
 							<label>{{.i18n.Tr "repo.visibility_helper" | Safe}} {{if .Repository.NumForks}}<span class="text red">{{.i18n.Tr "repo.visibility_fork_helper"}}</span>{{end}}</label>
 						</div>
 					</div>
@@ -58,7 +58,7 @@
 						<label for="interval">{{.i18n.Tr "repo.mirror_interval"}}</label>
 						<input id="interval" name="interval" value="{{.MirrorInterval}}">
 					</div>
-					<div class="field">
+					<div class="field {{if .Err_MirrorAddress}}error{{end}}">
 						<label for="mirror_address">{{.i18n.Tr "repo.mirror_address"}}</label>
 						<input id="mirror_address" name="mirror_address" value="{{.Mirror.FullAddress}}" required>
 						<p class="help">{{.i18n.Tr "repo.mirror_address_desc"}}</p>

templates/swagger/v1_json.tmpl

@@ -1663,6 +1663,46 @@
         }
       }
     },
+    "/repos/{owner}/{repo}/git/trees/{sha}": {
+      "get": {
+        "produces": [
+          "application/json"
+        ],
+        "tags": [
+          "repository"
+        ],
+        "summary": "Gets the tree of a repository.",
+        "operationId": "GetTree",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "owner of the repo",
+            "name": "owner",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "name of the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "description": "sha of the commit",
+            "name": "sha",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "$ref": "#/responses/GitTreeResponse"
+          }
+        }
+      }
+    },
     "/repos/{owner}/{repo}/hooks": {
       "get": {
         "produces": [
@@ -7040,6 +7080,38 @@
       },
       "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
     },
+    "GitEntry": {
+      "description": "GitEntry represents a git tree",
+      "type": "object",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "x-go-name": "Mode"
+        },
+        "path": {
+          "type": "string",
+          "x-go-name": "Path"
+        },
+        "sha": {
+          "type": "string",
+          "x-go-name": "SHA"
+        },
+        "size": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "Size"
+        },
+        "type": {
+          "type": "string",
+          "x-go-name": "Type"
+        },
+        "url": {
+          "type": "string",
+          "x-go-name": "URL"
+        }
+      },
+      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
+    },
     "GitObject": {
       "type": "object",
       "title": "GitObject represents a Git object.",
@@ -7059,6 +7131,32 @@
       },
       "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
     },
+    "GitTreeResponse": {
+      "description": "GitTreeResponse returns a git tree",
+      "type": "object",
+      "properties": {
+        "sha": {
+          "type": "string",
+          "x-go-name": "SHA"
+        },
+        "tree": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/GitEntry"
+          },
+          "x-go-name": "Entries"
+        },
+        "truncated": {
+          "type": "boolean",
+          "x-go-name": "Truncated"
+        },
+        "url": {
+          "type": "string",
+          "x-go-name": "URL"
+        }
+      },
+      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
+    },
     "Issue": {
       "description": "Issue represents an issue in a repository",
       "type": "object",
@@ -8200,6 +8298,12 @@
         }
       }
     },
+    "GitTreeResponse": {
+      "description": "GitTreeResponse",
+      "schema": {
+        "$ref": "#/definitions/GitTreeResponse"
+      }
+    },
     "Hook": {
       "description": "Hook",
       "schema": {

templates/user/dashboard/dashboard.tmpl

@@ -44,12 +44,14 @@
 						<div v-show="tab === 'repos'" class="ui tab active list dashboard-repos">
 							<h4 class="ui top attached header">
 								{{.i18n.Tr "home.my_repos"}} <span class="ui grey label">${reposTotalCount}</span>
+								{{if or (not .ContextUser.IsOrganization) .IsOrganizationOwner}}
 								<div class="ui right">
-									<a class="poping up" :href="suburl + '/repo/create'" data-content="{{.i18n.Tr "new_repo"}}" data-variation="tiny inverted" data-position="left center">
+									<a class="poping up" :href="suburl + '/repo/create{{if .ContextUser.IsOrganization}}?org={{.ContextUser.ID}}{{end}}'" data-content="{{.i18n.Tr "new_repo"}}" data-variation="tiny inverted" data-position="left center">
 										<i class="plus icon"></i>
 										<span class="sr-only">{{.i18n.Tr "new_repo"}}</span>
 									</a>
 								</div>
+								{{end}}
 							</h4>
 							<div class="ui attached secondary segment repos-search">
 								<div class="ui fluid icon input" :class="{loading: isLoading}">

templates/user/dashboard/navbar.tmpl

@@ -11,7 +11,7 @@
 					<div class="ui header">
 						{{.i18n.Tr "home.switch_dashboard_context"}}
 					</div>
-					<div class="items">
+					<div class="scrolling menu items">
 						<a class="{{if eq .ContextUser.ID .SignedUser.ID}}active selected{{end}} item" href="{{AppSubUrl}}/{{if .PageIsIssues}}issues{{else if .PageIsPulls}}pulls{{end}}">
 							<img class="ui avatar image" src="{{.SignedUser.RelAvatarLink}}">
 							{{.SignedUser.Name}}

vendor/code.gitea.io/git/cache.go

@@ -0,0 +1,11 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package git
+
+// LastCommitCache cache
+type LastCommitCache interface {
+	Get(repoPath, ref, entryPath string) (*Commit, error)
+	Put(repoPath, ref, entryPath string, commit *Commit) error
+}

vendor/code.gitea.io/git/commit.go

@@ -1,4 +1,5 @@
 // Copyright 2015 The Gogs Authors. All rights reserved.
+// Copyright 2018 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
@@ -9,6 +10,7 @@ import (
 	"bytes"
 	"container/list"
 	"fmt"
+	"io"
 	"net/http"
 	"strconv"
 	"strings"
@@ -16,6 +18,7 @@ import (
 
 // Commit represents a git commit.
 type Commit struct {
+	Branch string // Branch this commit belongs to
 	Tree
 	ID            SHA1 // The ID of this commit object
 	Author        *Signature
@@ -279,6 +282,56 @@ func (c *Commit) GetSubModule(entryname string) (*SubModule, error) {
 	return nil, nil
 }
 
+// CommitFileStatus represents status of files in a commit.
+type CommitFileStatus struct {
+	Added    []string
+	Removed  []string
+	Modified []string
+}
+
+// NewCommitFileStatus creates a CommitFileStatus
+func NewCommitFileStatus() *CommitFileStatus {
+	return &CommitFileStatus{
+		[]string{}, []string{}, []string{},
+	}
+}
+
+// GetCommitFileStatus returns file status of commit in given repository.
+func GetCommitFileStatus(repoPath, commitID string) (*CommitFileStatus, error) {
+	stdout, w := io.Pipe()
+	done := make(chan struct{})
+	fileStatus := NewCommitFileStatus()
+	go func() {
+		scanner := bufio.NewScanner(stdout)
+		for scanner.Scan() {
+			fields := strings.Fields(scanner.Text())
+			if len(fields) < 2 {
+				continue
+			}
+
+			switch fields[0][0] {
+			case 'A':
+				fileStatus.Added = append(fileStatus.Added, fields[1])
+			case 'D':
+				fileStatus.Removed = append(fileStatus.Removed, fields[1])
+			case 'M':
+				fileStatus.Modified = append(fileStatus.Modified, fields[1])
+			}
+		}
+		done <- struct{}{}
+	}()
+
+	stderr := new(bytes.Buffer)
+	err := NewCommand("show", "--name-status", "--pretty=format:''", commitID).RunInDirPipeline(repoPath, w, stderr)
+	w.Close() // Close writer to exit parsing goroutine
+	if err != nil {
+		return nil, concatenateError(err, stderr.String())
+	}
+
+	<-done
+	return fileStatus, nil
+}
+
 // GetFullCommitID returns full length (40) of commit ID by given short SHA in a repository.
 func GetFullCommitID(repoPath, shortID string) (string, error) {
 	if len(shortID) >= 40 {

vendor/code.gitea.io/git/commit_info.go

@@ -72,13 +72,20 @@ func (state *getCommitsInfoState) getTargetedEntryPath() string {
 }
 
 // repeatedly perform targeted searches for unpopulated entries
-func targetedSearch(state *getCommitsInfoState, done chan error) {
+func targetedSearch(state *getCommitsInfoState, done chan error, cache LastCommitCache) {
 	for {
 		entryPath := state.getTargetedEntryPath()
 		if len(entryPath) == 0 {
 			done <- nil
 			return
 		}
+		if cache != nil {
+			commit, err := cache.Get(state.headCommit.repo.Path, state.headCommit.ID.String(), entryPath)
+			if err == nil && commit != nil {
+				state.update(entryPath, commit)
+				continue
+			}
+		}
 		command := NewCommand("rev-list", "-1", state.headCommit.ID.String(), "--", entryPath)
 		output, err := command.RunInDir(state.headCommit.repo.Path)
 		if err != nil {
@@ -96,6 +103,9 @@ func targetedSearch(state *getCommitsInfoState, done chan error) {
 			return
 		}
 		state.update(entryPath, commit)
+		if cache != nil {
+			cache.Put(state.headCommit.repo.Path, state.headCommit.ID.String(), entryPath, commit)
+		}
 	}
 }
 
@@ -118,9 +128,9 @@ func initGetCommitInfoState(entries Entries, headCommit *Commit, treePath string
 }
 
 // GetCommitsInfo gets information of all commits that are corresponding to these entries
-func (tes Entries) GetCommitsInfo(commit *Commit, treePath string) ([][]interface{}, error) {
+func (tes Entries) GetCommitsInfo(commit *Commit, treePath string, cache LastCommitCache) ([][]interface{}, error) {
 	state := initGetCommitInfoState(tes, commit, treePath)
-	if err := getCommitsInfo(state); err != nil {
+	if err := getCommitsInfo(state, cache); err != nil {
 		return nil, err
 	}
 	if len(state.commits) < len(state.entryPaths) {
@@ -188,7 +198,7 @@ func (state *getCommitsInfoState) update(entryPath string, commit *Commit) bool
 
 const getCommitsInfoPretty = "--pretty=format:%H %ct %s"
 
-func getCommitsInfo(state *getCommitsInfoState) error {
+func getCommitsInfo(state *getCommitsInfoState, cache LastCommitCache) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute)
 	defer cancel()
 
@@ -215,7 +225,7 @@ func getCommitsInfo(state *getCommitsInfoState) error {
 	numThreads := runtime.NumCPU()
 	done := make(chan error, numThreads)
 	for i := 0; i < numThreads; i++ {
-		go targetedSearch(state, done)
+		go targetedSearch(state, done, cache)
 	}
 
 	scanner := bufio.NewScanner(readCloser)

vendor/code.gitea.io/git/repo_commit.go

@@ -10,7 +10,7 @@ import (
 	"strconv"
 	"strings"
 
-	"github.com/mcuadros/go-version"
+	version "github.com/mcuadros/go-version"
 )
 
 // GetRefCommitID returns the last commit ID string of given reference (branch or tag).
@@ -32,7 +32,14 @@ func (repo *Repository) GetBranchCommitID(name string) (string, error) {
 
 // GetTagCommitID returns last commit ID string of given tag.
 func (repo *Repository) GetTagCommitID(name string) (string, error) {
-	return repo.GetRefCommitID(TagPrefix + name)
+	stdout, err := NewCommand("rev-list", "-n", "1", name).RunInDir(repo.Path)
+	if err != nil {
+		if strings.Contains(err.Error(), "unknown revision or path") {
+			return "", ErrNotExist{name, ""}
+		}
+		return "", err
+	}
+	return strings.TrimSpace(stdout), nil
 }
 
 // parseCommitData parses commit information from the (uncompressed) raw
@@ -94,7 +101,11 @@ l:
 				sig, err := newGPGSignatureFromCommitline(data, (nextline+1)+sigindex, true)
 				if err == nil && sig != nil {
 					// remove signature from commit message
-					cm = cm[:sigindex-1]
+					if sigindex == 0 {
+						cm = ""
+					} else {
+						cm = cm[:sigindex-1]
+					}
 					commit.Signature = sig
 				}
 			}
@@ -130,6 +141,14 @@ func (repo *Repository) getCommit(id SHA1) (*Commit, error) {
 	commit.repo = repo
 	commit.ID = id
 
+	data, err = NewCommand("name-rev", id.String()).RunInDirBytes(repo.Path)
+	if err != nil {
+		return nil, err
+	}
+
+	// name-rev commitID ouput will be "COMMIT_ID master" or "COMMIT_ID master~12"
+	commit.Branch = strings.Split(strings.Split(string(data), " ")[1], "~")[0]
+
 	repo.commitCache.Set(id.String(), commit)
 	return commit, nil
 }
@@ -138,10 +157,14 @@ func (repo *Repository) getCommit(id SHA1) (*Commit, error) {
 func (repo *Repository) GetCommit(commitID string) (*Commit, error) {
 	if len(commitID) != 40 {
 		var err error
-		commitID, err = NewCommand("rev-parse", commitID).RunInDir(repo.Path)
+		actualCommitID, err := NewCommand("rev-parse", commitID).RunInDir(repo.Path)
 		if err != nil {
+			if strings.Contains(err.Error(), "unknown revision or path") {
+				return nil, ErrNotExist{commitID, ""}
+			}
 			return nil, err
 		}
+		commitID = actualCommitID
 	}
 	id, err := NewIDFromString(commitID)
 	if err != nil {

vendor/code.gitea.io/git/repo_tag.go

@@ -76,12 +76,12 @@ func (repo *Repository) getTag(id SHA1) (*Tag, error) {
 
 // GetTag returns a Git tag by given name.
 func (repo *Repository) GetTag(name string) (*Tag, error) {
-	stdout, err := NewCommand("show-ref", "--tags", name).RunInDir(repo.Path)
+	idStr, err := repo.GetTagCommitID(name)
 	if err != nil {
 		return nil, err
 	}
 
-	id, err := NewIDFromString(strings.Split(stdout, " ")[0])
+	id, err := NewIDFromString(idStr)
 	if err != nil {
 		return nil, err
 	}
@@ -103,26 +103,18 @@ func (repo *Repository) GetTagInfos() ([]*Tag, error) {
 	}
 
 	tagNames := strings.Split(stdout, "\n")
-	var tags []*Tag
+	var tags = make([]*Tag, 0, len(tagNames))
 	for _, tagName := range tagNames {
 		tagName = strings.TrimSpace(tagName)
 		if len(tagName) == 0 {
 			continue
 		}
-		commitID, err := NewCommand("rev-parse", tagName).RunInDir(repo.Path)
+
+		tag, err := repo.GetTag(tagName)
 		if err != nil {
 			return nil, err
 		}
-		commit, err := repo.GetCommit(commitID)
-		if err != nil {
-			return nil, err
-		}
-		tags = append(tags, &Tag{
-			Name:    tagName,
-			Message: commit.Message(),
-			Object:  commit.ID,
-			Tagger:  commit.Author,
-		})
+		tags = append(tags, tag)
 	}
 	sortTagsByTime(tags)
 	return tags, nil