Changelog for release v1.4.1 (#3891)

* Changelog for release v1.4.1

* Fix typo

CHANGELOG.md

@@ -4,27 +4,32 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
-## [1.4.0-rc2](https://github.com/go-gitea/gitea/releases/tag/v1.4.0-rc2) - 2018-03-02
+## [1.4.1](https://github.com/go-gitea/gitea/releases/tag/v1.4.1) - 2018-05-03
+* BREAKING
+  * Add "error" as reserved username (#3882) (#3886)
 * SECURITY
-  * Fix escaping changed title in comments (#3530) (#3534)
-  * Escape search query (#3486) (#3488)
+  * Do not allow inactive users to access repositories using private key (#3887) (#3889)
+  * Fix path cleanup in file editor, when initilizing new repository and LFS oids  (#3871) (#3873)
+  * Remove unnecessary allowed safe HTML (#3778) (#3779)
+  * Correctly check http git access rights for reverse proxy authorized users (#3721) (#3743)
 * BUGFIXES
-  * Fix query protected branch bug (#3563) (#3571)
-  * Fix remove team member issue (#3566) (#3570)
-  * Fix the protected branch panic issue (#3567) (#3569)
-  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
-  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
-  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
-  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
-  * Fixes missing avatars in offline mode (#3471) (#3477)
-  * Fix synchronization bug in repo indexer (#3455) (#3461)
-  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)
+  * Fix to use only needed columns from tables to get repository git paths (#3870) (#3883)
+  * Fix GPG expire time display when time is zero (#3584) (#3884)
+  * Fix to update only issue last update time when adding a comment (#3855) (#3860)
+  * Fix repository star count after deleting user (#3781) (#3783)
+  * Use the active branch for the code tab (#3720) (#3776)
+  * Set default branch name on first push (#3715) (#3723)
+  * Show clipboard button if disable HTTP of git protocol (#3773) (#3774)
 
-## [1.4.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.4.0-rc1) - 2018-02-01
+## [1.4.0](https://github.com/go-gitea/gitea/releases/tag/v1.4.0) - 2018-03-25
 * BREAKING
   * Drop deprecated GOGS\_WORK\_DIR use (#2946)
   * Fix API status code for hook creation (#2814)
 * SECURITY
+  * Escape branch name in dropdown menu (#3691) (#3692)
+  * Refactor and simplify to correctly validate redirect to URL (#3674) (#3676)
+  * Fix escaping changed title in comments (#3530) (#3534)
+  * Escape search query (#3486) (#3488)
   * Sanitize logs for mirror sync (#3057)
 * FEATURE
   * Serve .patch and .diff for pull requests (#3305, #3293)
@@ -40,6 +45,17 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
   * Add dingtalk webhook  (#2777)
   * Responsive view (#2750)
 * BUGFIXES
+  * Fix wiki inter-links with spaces (#3560) (#3632)
+  * Fix query protected branch bug (#3563) (#3571)
+  * Fix remove team member issue (#3566) (#3570)
+  * Fix the protected branch panic issue (#3567) (#3569)
+  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
+  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
+  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
+  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
+  * Fixes missing avatars in offline mode (#3471) (#3477)
+  * Fix synchronization bug in repo indexer (#3455) (#3461)
+  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)
   * Fix webhook X-GitHub-* headers casing for better compatibility (#3429)
   * Add content type and doctype to requests made with go-get (#3426, #3423)
   * Fix SQL type error for webhooks (#3424)

cmd/serv.go

@@ -230,6 +230,12 @@ func runServ(c *cli.Context) error {
 				fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
 			}
 
+			if !user.IsActive || user.ProhibitLogin {
+				fail("Your account is not active or has been disabled by Administrator",
+					"User %s is disabled and have no access to repository %s",
+					user.Name, repoPath)
+			}
+
 			mode, err := models.AccessLevel(user.ID, repo)
 			if err != nil {
 				fail("Internal error", "Failed to check access: %v", err)

docs/content/page/index.en-us.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "Documentation"
 slug: "documentation"
+url: "/en-us/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.fr-fr.md

@@ -2,6 +2,7 @@
 date: "2017-08-23T09:00:00+02:00"
 title: "Documentation"
 slug: "documentation"
+url: "/fr-fr/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.zh-cn.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "文档"
 slug: "documentation"
+url: "/zh-cn/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.zh-tw.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "文件"
 slug: "documentation"
+url: "/zh-tw/"
 weight: 10
 toc: true
 draft: false

docs/scripts/trans-copy

@@ -28,6 +28,8 @@ for SOURCE in $(find ${ROOT}/content -type f -iname *.en-us.md); do
     if [[ ! -f ${DEST} ]]; then
       echo "Creating fallback for ${DEST#${ROOT}/content/}"
       cp ${SOURCE} ${DEST}
+      sed -i.bak "s/en\-us/${LOCALE}/g" ${DEST}
+      rm ${DEST}.bak
     fi
   done
 done

models/action.go

@@ -523,6 +523,11 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 		return fmt.Errorf("GetRepositoryByName [owner_id: %d, name: %s]: %v", opts.RepoOwnerID, opts.RepoName, err)
 	}
 
+	refName := git.RefEndName(opts.RefFullName)
+	if repo.IsBare && refName != repo.DefaultBranch {
+		repo.DefaultBranch = refName
+	}
+
 	// Change repository bare status and update last updated time.
 	repo.IsBare = repo.IsBare && opts.Commits.Len <= 0
 	if err = UpdateRepository(repo, false); err != nil {
@@ -563,7 +568,6 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 		return fmt.Errorf("Marshal: %v", err)
 	}
 
-	refName := git.RefEndName(opts.RefFullName)
 	if err = NotifyWatchers(&Action{
 		ActUserID: pusher.ID,
 		ActUser:   pusher,

models/git_diff_test.go

@@ -21,16 +21,16 @@ func assertLineEqual(t *testing.T, d1 *DiffLine, d2 *DiffLine) {
 
 func TestDiffToHTML(t *testing.T) {
 	assertEqual(t, "+foo <span class=\"added-code\">bar</span> biz", diffToHTML([]dmp.Diff{
-		{dmp.DiffEqual, "foo "},
-		{dmp.DiffInsert, "bar"},
-		{dmp.DiffDelete, " baz"},
-		{dmp.DiffEqual, " biz"},
+		{Type: dmp.DiffEqual, Text: "foo "},
+		{Type: dmp.DiffInsert, Text: "bar"},
+		{Type: dmp.DiffDelete, Text: " baz"},
+		{Type: dmp.DiffEqual, Text: " biz"},
 	}, DiffLineAdd))
 
 	assertEqual(t, "-foo <span class=\"removed-code\">bar</span> biz", diffToHTML([]dmp.Diff{
-		{dmp.DiffEqual, "foo "},
-		{dmp.DiffDelete, "bar"},
-		{dmp.DiffInsert, " baz"},
-		{dmp.DiffEqual, " biz"},
+		{Type: dmp.DiffEqual, Text: "foo "},
+		{Type: dmp.DiffDelete, Text: "bar"},
+		{Type: dmp.DiffInsert, Text: " baz"},
+		{Type: dmp.DiffEqual, Text: " biz"},
 	}, DiffLineDel))
 }

models/issue_comment.go

@@ -418,7 +418,7 @@ func createComment(e *xorm.Session, opts *CreateCommentOptions) (_ *Comment, err
 	}
 
 	// update the issue's updated_unix column
-	if err = updateIssueCols(e, opts.Issue); err != nil {
+	if err = updateIssueCols(e, opts.Issue, "updated_unix"); err != nil {
 		return nil, err
 	}
 

models/migrations/migrations.go

@@ -217,6 +217,66 @@ Please try to upgrade to a lower version (>= v0.6.0) first, then upgrade to curr
 	return nil
 }
 
+func dropTableColumns(x *xorm.Engine, tableName string, columnNames ...string) (err error) {
+	if tableName == "" || len(columnNames) == 0 {
+		return nil
+	}
+
+	switch {
+	case setting.UseSQLite3:
+		log.Warn("Unable to drop columns in SQLite")
+	case setting.UseMySQL, setting.UseTiDB, setting.UsePostgreSQL:
+		cols := ""
+		for _, col := range columnNames {
+			if cols != "" {
+				cols += ", "
+			}
+			cols += "DROP COLUMN `" + col + "`"
+		}
+		if _, err := x.Exec(fmt.Sprintf("ALTER TABLE `%s` %s", tableName, cols)); err != nil {
+			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+		}
+	case setting.UseMSSQL:
+		sess := x.NewSession()
+		defer sess.Close()
+
+		if err = sess.Begin(); err != nil {
+			return err
+		}
+
+		cols := ""
+		for _, col := range columnNames {
+			if cols != "" {
+				cols += ", "
+			}
+			cols += "`" + strings.ToLower(col) + "`"
+		}
+		sql := fmt.Sprintf("SELECT Name FROM SYS.DEFAULT_CONSTRAINTS WHERE PARENT_OBJECT_ID = OBJECT_ID('%[1]s') AND PARENT_COLUMN_ID IN (SELECT column_id FROM sys.columns WHERE lower(NAME) IN (%[2]s) AND object_id = OBJECT_ID('%[1]s'))",
+			tableName, strings.Replace(cols, "`", "'", -1))
+		constraints := make([]string, 0)
+		if err := sess.SQL(sql).Find(&constraints); err != nil {
+			sess.Rollback()
+			return fmt.Errorf("Find constraints: %v", err)
+		}
+		for _, constraint := range constraints {
+			if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP CONSTRAINT `%s`", tableName, constraint)); err != nil {
+				sess.Rollback()
+				return fmt.Errorf("Drop table `%s` constraint `%s`: %v", tableName, constraint, err)
+			}
+		}
+		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP COLUMN %s", tableName, cols)); err != nil {
+			sess.Rollback()
+			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+		}
+
+		return sess.Commit()
+	default:
+		log.Fatal(4, "Unrecognized DB")
+	}
+
+	return nil
+}
+
 func fixLocaleFileLoadPanic(_ *xorm.Engine) error {
 	cfg, err := ini.Load(setting.CustomConf)
 	if err != nil {

models/migrations/v56.go

@@ -5,29 +5,9 @@
 package migrations
 
 import (
-	"fmt"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-
 	"github.com/go-xorm/xorm"
 )
 
 func removeIsOwnerColumnFromOrgUser(x *xorm.Engine) (err error) {
-	switch {
-	case setting.UseSQLite3:
-		log.Warn("Unable to drop columns in SQLite")
-	case setting.UseMySQL, setting.UseTiDB, setting.UsePostgreSQL:
-		if _, err := x.Exec("ALTER TABLE org_user DROP COLUMN is_owner, DROP COLUMN num_teams"); err != nil {
-			return fmt.Errorf("DROP COLUMN org_user.is_owner, org_user.num_teams: %v", err)
-		}
-	case setting.UseMSSQL:
-		if _, err := x.Exec("ALTER TABLE org_user DROP COLUMN is_owner, num_teams"); err != nil {
-			return fmt.Errorf("DROP COLUMN org_user.is_owner, org_user.num_teams: %v", err)
-		}
-	default:
-		log.Fatal(4, "Unrecognized DB")
-	}
-
-	return nil
+	return dropTableColumns(x, "org_user", "is_owner", "num_teams")
 }

models/repo.go

@@ -163,6 +163,7 @@ func NewRepoContext() {
 type Repository struct {
 	ID            int64  `xorm:"pk autoincr"`
 	OwnerID       int64  `xorm:"UNIQUE(s)"`
+	OwnerName     string `xorm:"-"`
 	Owner         *User  `xorm:"-"`
 	LowerName     string `xorm:"UNIQUE(s) INDEX NOT NULL"`
 	Name          string `xorm:"INDEX NOT NULL"`
@@ -223,9 +224,17 @@ func (repo *Repository) MustOwner() *User {
 	return repo.mustOwner(x)
 }
 
+// MustOwnerName always returns valid owner name to avoid
+// conceptually impossible error handling.
+// It returns "error" and logs error details when error
+// occurs.
+func (repo *Repository) MustOwnerName() string {
+	return repo.mustOwnerName(x)
+}
+
 // FullName returns the repository full name
 func (repo *Repository) FullName() string {
-	return repo.MustOwner().Name + "/" + repo.Name
+	return repo.MustOwnerName() + "/" + repo.Name
 }
 
 // HTMLURL returns the repository HTML URL
@@ -477,6 +486,41 @@ func (repo *Repository) mustOwner(e Engine) *User {
 	return repo.Owner
 }
 
+func (repo *Repository) getOwnerName(e Engine) error {
+	if len(repo.OwnerName) > 0 {
+		return nil
+	}
+
+	if repo.Owner != nil {
+		repo.OwnerName = repo.Owner.Name
+		return nil
+	}
+
+	u := new(User)
+	has, err := e.ID(repo.OwnerID).Cols("name").Get(u)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrUserNotExist{repo.OwnerID, "", 0}
+	}
+	repo.OwnerName = u.Name
+	return nil
+}
+
+// GetOwnerName returns the repository owner name
+func (repo *Repository) GetOwnerName() error {
+	return repo.getOwnerName(x)
+}
+
+func (repo *Repository) mustOwnerName(e Engine) string {
+	if err := repo.getOwnerName(e); err != nil {
+		log.Error(4, "Error loading repository owner name: %v", err)
+		return "error"
+	}
+
+	return repo.OwnerName
+}
+
 // ComposeMetas composes a map of metas for rendering external issue tracker URL.
 func (repo *Repository) ComposeMetas() map[string]string {
 	unit, err := repo.GetUnit(UnitTypeExternalTracker)
@@ -588,7 +632,7 @@ func (repo *Repository) GetBaseRepo() (err error) {
 }
 
 func (repo *Repository) repoPath(e Engine) string {
-	return RepoPath(repo.mustOwner(e).Name, repo.Name)
+	return RepoPath(repo.mustOwnerName(e), repo.Name)
 }
 
 // RepoPath returns the repository path
@@ -1131,7 +1175,7 @@ type CreateRepoOptions struct {
 }
 
 func getRepoInitFile(tp, name string) ([]byte, error) {
-	cleanedName := strings.TrimLeft(name, "./")
+	cleanedName := strings.TrimLeft(path.Clean("/"+name), "/")
 	relPath := path.Join("options", tp, cleanedName)
 
 	// Use custom file when available.
@@ -2133,7 +2177,7 @@ func ReinitMissingRepositories() error {
 // SyncRepositoryHooks rewrites all repositories' pre-receive, update and post-receive hooks
 // to make sure the binary and custom conf path are up-to-date.
 func SyncRepositoryHooks() error {
-	return x.Where("id > 0").Iterate(new(Repository),
+	return x.Cols("owner_id", "name").Where("id > 0").Iterate(new(Repository),
 		func(idx int, bean interface{}) error {
 			if err := createDelegateHooks(bean.(*Repository).RepoPath()); err != nil {
 				return fmt.Errorf("SyncRepositoryHook: %v", err)

models/user.go

@@ -651,7 +651,7 @@ func NewGhostUser() *User {
 }
 
 var (
-	reservedUsernames    = []string{"assets", "css", "explore", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatars", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
+	reservedUsernames    = []string{"assets", "css", "explore", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatars", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "error", "new", ".", ".."}
 	reservedUserPatterns = []string{"*.keys"}
 )
 
@@ -934,7 +934,7 @@ func deleteUser(e *xorm.Session, u *User) error {
 	if err = e.Table("star").Cols("star.repo_id").
 		Where("star.uid = ?", u.ID).Find(&starredRepoIDs); err != nil {
 		return fmt.Errorf("get all stars: %v", err)
-	} else if _, err = e.Decr("num_watches").In("id", starredRepoIDs).Update(new(Repository)); err != nil {
+	} else if _, err = e.Decr("num_stars").In("id", starredRepoIDs).Update(new(Repository)); err != nil {
 		return fmt.Errorf("decrease repository num_stars: %v", err)
 	}
 	// ***** END: Star *****

models/wiki.go

@@ -67,7 +67,7 @@ func WikiPath(userName, repoName string) string {
 
 // WikiPath returns wiki data path for given repository.
 func (repo *Repository) WikiPath() string {
-	return WikiPath(repo.MustOwner().Name, repo.Name)
+	return WikiPath(repo.MustOwnerName(), repo.Name)
 }
 
 // HasWiki returns true if repository has wiki.

modules/context/context.go

@@ -9,6 +9,7 @@ import (
 	"html/template"
 	"io"
 	"net/http"
+	"net/url"
 	"path"
 	"strings"
 	"time"
@@ -75,6 +76,26 @@ func (ctx *Context) HasValue(name string) bool {
 	return ok
 }
 
+// RedirectToFirst redirects to first not empty URL
+func (ctx *Context) RedirectToFirst(location ...string) {
+	for _, loc := range location {
+		if len(loc) == 0 {
+			continue
+		}
+
+		u, err := url.Parse(loc)
+		if err != nil || (u.Scheme != "" && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {
+			continue
+		}
+
+		ctx.Redirect(loc)
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/")
+	return
+}
+
 // HTML calls Context.HTML and converts template name to string.
 func (ctx *Context) HTML(status int, name base.TplName) {
 	log.Debug("Template: %s", name)

modules/lfs/server.go

@@ -83,6 +83,8 @@ type link struct {
 	ExpiresAt time.Time         `json:"expires_at,omitempty"`
 }
 
+var oidRegExp = regexp.MustCompile(`^[A-Fa-f0-9]+$`)
+
 // ObjectOidHandler is the main request routing entry point into LFS server functions
 func ObjectOidHandler(ctx *context.Context) {
 
@@ -217,6 +219,12 @@ func PostHandler(ctx *context.Context) {
 
 	if !authenticate(ctx, repository, rv.Authorization, true) {
 		requireAuth(ctx)
+		return
+	}
+
+	if !oidRegExp.MatchString(rv.Oid) {
+		writeStatus(ctx, 404)
+		return
 	}
 
 	meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID})
@@ -284,10 +292,12 @@ func BatchHandler(ctx *context.Context) {
 			continue
 		}
 
-		// Object is not found
-		meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID})
-		if err == nil {
-			responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta)))
+		if oidRegExp.MatchString(object.Oid) {
+			// Object is not found
+			meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID})
+			if err == nil {
+				responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta)))
+			}
 		}
 	}
 

modules/markup/html.go

@@ -391,7 +391,11 @@ func RenderShortLinks(rawBytes []byte, urlPrefix string, noLink bool, isWikiMark
 		}
 		absoluteLink := isLink([]byte(link))
 		if !absoluteLink {
-			link = strings.Replace(link, " ", "+", -1)
+			if image {
+				link = strings.Replace(link, " ", "+", -1)
+			} else {
+				link = strings.Replace(link, " ", "-", -1)
+			}
 		}
 		if image {
 			if !absoluteLink {

modules/util/time_stamp.go

@@ -59,3 +59,8 @@ func (ts TimeStamp) FormatLong() string {
 func (ts TimeStamp) FormatShort() string {
 	return ts.Format("Jan 02, 2006")
 }
+
+// IsZero is zero time
+func (ts TimeStamp) IsZero() bool {
+	return ts.AsTime().IsZero()
+}

routers/repo/editor.go

@@ -163,7 +163,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(form.TreePath, " /")
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 
 	ctx.Data["TreePath"] = form.TreePath
@@ -477,7 +477,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(form.TreePath, " /")
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 	if len(treeNames) == 0 {
 		// We must at least have one element for user to input.

routers/repo/http.go

@@ -184,33 +184,33 @@ func HTTP(ctx *context.Context) {
 					return
 				}
 			}
+		}
 
-			if !isPublicPull {
-				has, err := models.HasAccess(authUser.ID, repo, accessMode)
-				if err != nil {
-					ctx.ServerError("HasAccess", err)
-					return
-				} else if !has {
-					if accessMode == models.AccessModeRead {
-						has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
-						if err != nil {
-							ctx.ServerError("HasAccess2", err)
-							return
-						} else if !has {
-							ctx.HandleText(http.StatusForbidden, "User permission denied")
-							return
-						}
-					} else {
+		if !isPublicPull {
+			has, err := models.HasAccess(authUser.ID, repo, accessMode)
+			if err != nil {
+				ctx.ServerError("HasAccess", err)
+				return
+			} else if !has {
+				if accessMode == models.AccessModeRead {
+					has, err = models.HasAccess(authUser.ID, repo, models.AccessModeWrite)
+					if err != nil {
+						ctx.ServerError("HasAccess2", err)
+						return
+					} else if !has {
 						ctx.HandleText(http.StatusForbidden, "User permission denied")
 						return
 					}
-				}
-
-				if !isPull && repo.IsMirror {
-					ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+				} else {
+					ctx.HandleText(http.StatusForbidden, "User permission denied")
 					return
 				}
 			}
+
+			if !isPull && repo.IsMirror {
+				ctx.HandleText(http.StatusForbidden, "mirror repository is read-only")
+				return
+			}
 		}
 
 		if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {

routers/repo/issue_label_test.go

@@ -32,7 +32,7 @@ func TestInitializeLabels(t *testing.T) {
 	ctx := test.MockContext(t, "user2/repo1/labels/initialize")
 	test.LoadUser(t, ctx, 2)
 	test.LoadRepo(t, ctx, 2)
-	InitializeLabels(ctx, auth.InitializeLabelsForm{"Default"})
+	InitializeLabels(ctx, auth.InitializeLabelsForm{TemplateName: "Default"})
 	assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
 	models.AssertExistsAndLoadBean(t, &models.Label{
 		RepoID: 2,

routers/repo/repo.go

@@ -307,11 +307,7 @@ func Action(ctx *context.Context) {
 		return
 	}
 
-	redirectTo := ctx.Query("redirect_to")
-	if len(redirectTo) == 0 {
-		redirectTo = ctx.Repo.RepoLink
-	}
-	ctx.Redirect(redirectTo)
+	ctx.RedirectToFirst(ctx.Query("redirect_to"), ctx.Repo.RepoLink)
 }
 
 // Download download an archive of a repository

routers/user/auth.go

@@ -93,12 +93,8 @@ func checkAutoLogin(ctx *context.Context) bool {
 	}
 
 	if isSucceed {
-		if len(redirectTo) > 0 {
-			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-			ctx.Redirect(redirectTo)
-		} else {
-			ctx.Redirect(setting.AppSubURL + string(setting.LandingPageURL))
-		}
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
+		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
 		return true
 	}
 
@@ -350,7 +346,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
 		if obeyRedirect {
-			ctx.Redirect(redirectTo)
+			ctx.RedirectToFirst(redirectTo)
 		}
 		return
 	}
@@ -439,7 +435,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 
 			if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 				ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-				ctx.Redirect(redirectTo)
+				ctx.RedirectToFirst(redirectTo)
 				return
 			}
 

routers/user/auth_openid.go

@@ -49,12 +49,8 @@ func SignInOpenID(ctx *context.Context) {
 	}
 
 	if isSucceed {
-		if len(redirectTo) > 0 {
-			ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-			ctx.Redirect(redirectTo)
-		} else {
-			ctx.Redirect(setting.AppSubURL + "/")
-		}
+		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
+		ctx.RedirectToFirst(redirectTo)
 		return
 	}
 

routers/user/profile.go

@@ -271,9 +271,5 @@ func Action(ctx *context.Context) {
 		return
 	}
 
-	redirectTo := ctx.Query("redirect_to")
-	if len(redirectTo) == 0 {
-		redirectTo = u.HomeLink()
-	}
-	ctx.Redirect(redirectTo)
+	ctx.RedirectToFirst(ctx.Query("redirect_to"), u.HomeLink())
 }

templates/repo/branch/list.tmpl

@@ -69,12 +69,12 @@
 <div class="ui small basic delete modal">
 	<div class="ui icon header">
 		<i class="trash icon"></i>
-		{{.i18n.Tr "repo.branch.delete_html"| Safe}} <span class="branch-name"></span>
+		{{.i18n.Tr "repo.branch.delete_html"}} <span class="branch-name"></span>
 	</div>
 	<div class="content">
-		<p>{{.i18n.Tr "repo.branch.delete_desc" | Safe}}</p>
+		<p>{{.i18n.Tr "repo.branch.delete_desc"}}</p>
 		{{.i18n.Tr "repo.branch.delete_notices_1" | Safe}}<br>
-		{{.i18n.Tr "repo.branch.delete_notices_html" | Safe}} <span class="branch-name"></span><br>
+		{{.i18n.Tr "repo.branch.delete_notices_html"}} <span class="branch-name"></span><br>
 	</div>
 	{{template "base/delete_modal_actions" .}}
 </div>

templates/repo/branch_dropdown.tmpl

@@ -47,9 +47,9 @@
 						</div>
 						<div class="text small">
 							{{if .IsViewBranch}}
-								{{.i18n.Tr "repo.branch.create_from" .BranchName | Safe}}
+								{{.i18n.Tr "repo.branch.create_from" .BranchName}}
 							{{else}}
-								{{.i18n.Tr "repo.branch.create_from" (ShortSha .BranchName) | Safe}}
+								{{.i18n.Tr "repo.branch.create_from" (ShortSha .BranchName)}}
 							{{end}}
 						</div>
 					</a>

templates/repo/create.tmpl

@@ -36,7 +36,7 @@
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{.i18n.Tr "repo.repo_name"}}</label>
 						<input id="repo_name" name="repo_name" value="{{.repo_name}}" autofocus required>
-						<span class="help">{{.i18n.Tr "repo.repo_name_helper" | Safe}}</span>
+						<span class="help">{{.i18n.Tr "repo.repo_name_helper"}}</span>
 					</div>
 					<div class="inline field">
 						<label>{{.i18n.Tr "repo.visibility"}}</label>

templates/repo/editor/commit_form.tmpl

@@ -14,8 +14,7 @@
 					<input type="radio" class="js-quick-pull-choice-option" name="commit_choice" value="direct" {{if eq .commit_choice "direct"}}checked{{end}}>
 					<label>
 						<i class="octicon octicon-git-commit" height="16" width="14"></i>
-						{{$branchName := .BranchName | Str2html}}
-						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" $branchName | Safe}}
+						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" (.BranchName|Escape) | Safe}}
 					</label>
 				</div>
 			</div>

templates/repo/header.tmpl

@@ -48,7 +48,7 @@
 	<div class="ui tabs container">
 		<div class="ui tabular stackable menu navbar">
 			{{if .Repository.UnitEnabled $.UnitTypeCode}}
-			<a class="{{if .PageIsViewCode}}active{{end}} item" href="{{.RepoLink}}">
+			<a class="{{if .PageIsViewCode}}active{{end}} item" href="{{.RepoLink}}{{if (ne .BranchName .Repository.DefaultBranch)}}/src/branch/{{.BranchName}}{{end}}">
 				<i class="octicon octicon-code"></i> {{.i18n.Tr "repo.code"}}
 			</a>
 			{{end}}

templates/repo/home.tmpl

@@ -73,7 +73,7 @@
 						{{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 							<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
 						{{end}}
-						{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
+						{{if or (not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH))}}
 							<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
 								<i class="octicon octicon-clippy"></i>
 							</button>

templates/repo/issue/view_content.tmpl

@@ -134,12 +134,12 @@
 <div class="ui small basic delete modal">
 	<div class="ui icon header">
 		<i class="trash icon"></i>
-		{{.i18n.Tr "repo.branch.delete" .HeadTarget | Safe}}
+		{{.i18n.Tr "repo.branch.delete" .HeadTarget }}
 	</div>
 	<div class="content">
-		<p>{{.i18n.Tr "repo.branch.delete_desc" | Safe}}</p>
+		<p>{{.i18n.Tr "repo.branch.delete_desc"}}</p>
 		{{.i18n.Tr "repo.branch.delete_notices_1" | Safe}}<br>
-		{{.i18n.Tr "repo.branch.delete_notices_2" .HeadTarget | Safe}}<br>
+		{{.i18n.Tr "repo.branch.delete_notices_2" .HeadTarget}}<br>
 	</div>
 	{{template "base/delete_modal_actions" .}}
 </div>

templates/repo/issue/view_content/comments.tmpl

@@ -145,7 +145,7 @@
 				<img src="{{.Poster.RelAvatarLink}}">
 			</a>
 			<span class="text grey"><a href="{{.Poster.HomeLink}}">{{.Poster.Name}}</a>
-			{{$.i18n.Tr "repo.issues.delete_branch_at" .CommitSHA $createdStr | Safe}}
+			{{$.i18n.Tr "repo.issues.delete_branch_at" (.CommitSHA|Escape) $createdStr | Safe}}
 			</span>
 		</div>
     {{else if eq .Type 12}}

templates/repo/settings/options.tmpl

@@ -302,7 +302,7 @@
 		</div>
 		<div class="content">
 			<div class="ui warning message text left">
-				{{.i18n.Tr "repo.settings.convert_notices_1" | Safe}}
+				{{.i18n.Tr "repo.settings.convert_notices_1"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{.CsrfTokenHtml}}
@@ -333,8 +333,8 @@
 		</div>
 		<div class="content">
 			<div class="ui warning message text left">
-				{{.i18n.Tr "repo.settings.transfer_notices_1" | Safe}} <br>
-				{{.i18n.Tr "repo.settings.transfer_notices_2" | Safe}}
+				{{.i18n.Tr "repo.settings.transfer_notices_1"}} <br>
+				{{.i18n.Tr "repo.settings.transfer_notices_2"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{.CsrfTokenHtml}}
@@ -371,7 +371,7 @@
 				{{.i18n.Tr "repo.settings.delete_notices_1" | Safe}}<br>
 				{{.i18n.Tr "repo.settings.delete_notices_2" .Repository.FullName | Safe}}
 				{{if .Repository.NumForks}}<br>
-				{{.i18n.Tr "repo.settings.delete_notices_fork_1" | Safe}}
+				{{.i18n.Tr "repo.settings.delete_notices_fork_1"}}
 				{{end}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">

templates/user/settings/keys_gpg.tmpl

@@ -26,7 +26,7 @@
 					<div class="activity meta">
 						<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.AddedUnix.FormatShort}}</span></i>
 						-
-						<i>{{if .ExpiredUnix}}{{$.i18n.Tr "settings.valid_until"}} <span>{{.ExpiredUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.valid_forever"}}{{end}}</i>
+						<i>{{if not .ExpiredUnix.IsZero}}{{$.i18n.Tr "settings.valid_until"}} <span>{{.ExpiredUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.valid_forever"}}{{end}}</i>
 					</div>
 				</div>
 			</div>

vendor/github.com/markbates/goth/gothic/gothic.go

@@ -132,7 +132,7 @@ func GetAuthURL(res http.ResponseWriter, req *http.Request) (string, error) {
 		return "", err
 	}
 
-	err = storeInSession(providerName, sess.Marshal(), req, res)
+	err = StoreInSession(providerName, sess.Marshal(), req, res)
 
 	if err != nil {
 		return "", err
@@ -166,7 +166,7 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
-	value, err := getFromSession(providerName, req)
+	value, err := GetFromSession(providerName, req)
 	if err != nil {
 		return goth.User{}, err
 	}
@@ -193,7 +193,7 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
-	err = storeInSession(providerName, sess.Marshal(), req, res)
+	err = StoreInSession(providerName, sess.Marshal(), req, res)
 
 	if err != nil {
 		return goth.User{}, err
@@ -284,8 +284,9 @@ func getProviderName(req *http.Request) (string, error) {
 	return "", errors.New("you must select a provider")
 }
 
-func storeInSession(key string, value string, req *http.Request, res http.ResponseWriter) error {
-	session, _ := Store.Get(req, SessionName)
+// StoreInSession stores a specified key/value pair in the session.
+func StoreInSession(key string, value string, req *http.Request, res http.ResponseWriter) error {
+	session, _ := Store.New(req, SessionName)
 
 	if err := updateSessionValue(session, key, value); err != nil {
 		return err
@@ -294,7 +295,9 @@ func storeInSession(key string, value string, req *http.Request, res http.Respon
 	return session.Save(req, res)
 }
 
-func getFromSession(key string, req *http.Request) (string, error) {
+// GetFromSession retrieves a previously-stored value from the session.
+// If no value has previously been stored at the specified key, it will return an error.
+func GetFromSession(key string, req *http.Request) (string, error) {
 	session, _ := Store.Get(req, SessionName)
 	value, err := getSessionValue(session, key)
 	if err != nil {

vendor/github.com/markbates/goth/providers/dropbox/dropbox.go

@@ -2,9 +2,11 @@
 package dropbox
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 
@@ -25,6 +27,7 @@ type Provider struct {
 	ClientKey    string
 	Secret       string
 	CallbackURL  string
+	AccountURL   string
 	HTTPClient   *http.Client
 	config       *oauth2.Config
 	providerName string
@@ -44,6 +47,7 @@ func New(clientKey, secret, callbackURL string, scopes ...string) *Provider {
 		ClientKey:    clientKey,
 		Secret:       secret,
 		CallbackURL:  callbackURL,
+		AccountURL:   accountURL,
 		providerName: "dropbox",
 	}
 	p.config = newConfig(p, scopes)
@@ -87,7 +91,7 @@ func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 		return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName)
 	}
 
-	req, err := http.NewRequest("POST", accountURL, nil)
+	req, err := http.NewRequest("POST", p.AccountURL, nil)
 	if err != nil {
 		return user, err
 	}
@@ -102,7 +106,17 @@ func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 		return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, resp.StatusCode)
 	}
 
-	err = userFromReader(resp.Body, &user)
+	bits, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return user, err
+	}
+
+	err = json.NewDecoder(bytes.NewReader(bits)).Decode(&user.RawData)
+	if err != nil {
+		return user, err
+	}
+
+	err = userFromReader(bytes.NewReader(bits), &user)
 	return user, err
 }
 
@@ -162,22 +176,29 @@ func newConfig(p *Provider, scopes []string) *oauth2.Config {
 
 func userFromReader(r io.Reader, user *goth.User) error {
 	u := struct {
-		Name        string `json:"display_name"`
-		NameDetails struct {
-			NickName string `json:"familiar_name"`
-		} `json:"name_details"`
-		Location string `json:"country"`
-		Email    string `json:"email"`
+		AccountID string `json:"account_id"`
+		Name      struct {
+			GivenName   string `json:"given_name"`
+			Surname     string `json:"surname"`
+			DisplayName string `json:"display_name"`
+		} `json:"name"`
+		Country         string `json:"country"`
+		Email           string `json:"email"`
+		ProfilePhotoURL string `json:"profile_photo_url"`
 	}{}
 	err := json.NewDecoder(r).Decode(&u)
 	if err != nil {
 		return err
 	}
+	user.UserID = u.AccountID // The user's unique Dropbox ID.
+	user.FirstName = u.Name.GivenName
+	user.LastName = u.Name.Surname
+	user.Name = strings.TrimSpace(fmt.Sprintf("%s %s", u.Name.GivenName, u.Name.Surname))
+	user.Description = u.Name.DisplayName // Full name plus parenthetical team naem
 	user.Email = u.Email
-	user.Name = u.Name
-	user.NickName = u.NameDetails.NickName
-	user.UserID = u.Email // Dropbox doesn't provide a separate user ID
-	user.Location = u.Location
+	user.NickName = u.Email // Email is the dropbox username
+	user.Location = u.Country
+	user.AvatarURL = u.ProfilePhotoURL // May be blank
 	return nil
 }
 

vendor/vendor.json

@@ -655,63 +655,73 @@
 		},
 		{
 			"checksumSHA1": "q9MD1ienC+kmKq5i51oAktQEV1E=",
+			"origin": "github.com/go-gitea/goth",
 			"path": "github.com/markbates/goth",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
-			"checksumSHA1": "+nosptSgGb2qCAR6CSHV2avwmNg=",
+			"checksumSHA1": "FISfgOkoMtn98wglLUvfBTZ6baE=",
+			"origin": "github.com/go-gitea/goth/gothic",
 			"path": "github.com/markbates/goth/gothic",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "pJ+Cws/TU22K6tZ/ALFOvvH1K5U=",
+			"origin": "github.com/go-gitea/goth/providers/bitbucket",
 			"path": "github.com/markbates/goth/providers/bitbucket",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
-			"checksumSHA1": "bKokLof0Pkk5nEhW8NdbfcVzuqk=",
+			"checksumSHA1": "XsF5HI4240QHbFXbtWWnGgTsoq8=",
+			"origin": "github.com/go-gitea/goth/providers/dropbox",
 			"path": "github.com/markbates/goth/providers/dropbox",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "VzbroIA9R00Ig3iGnOlZLU7d4ls=",
+			"origin": "github.com/go-gitea/goth/providers/facebook",
 			"path": "github.com/markbates/goth/providers/facebook",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "P6nBZ850aaekpOcoXNdRhK86bH8=",
+			"origin": "github.com/go-gitea/goth/providers/github",
 			"path": "github.com/markbates/goth/providers/github",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "ld488t+yGoTwtmiCSSggEX4fxVk=",
+			"origin": "github.com/go-gitea/goth/providers/gitlab",
 			"path": "github.com/markbates/goth/providers/gitlab",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "qXEulD7vnwY9hFrxh91Pm5YrvTM=",
+			"origin": "github.com/go-gitea/goth/providers/gplus",
 			"path": "github.com/markbates/goth/providers/gplus",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "wsOBzyp4LKDhfCPmX1LLP7T0S3U=",
+			"origin": "github.com/go-gitea/goth/providers/openidConnect",
 			"path": "github.com/markbates/goth/providers/openidConnect",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "o6RqMbbE8QNZhNT9TsAIRMPI8tg=",
+			"origin": "github.com/go-gitea/goth/providers/twitter",
 			"path": "github.com/markbates/goth/providers/twitter",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "61HNjGetaBoMp8HBOpuEZRSim8g=",