1.7.1 changelog (#5918 )

Disable redirect for i18n (#5910 ) (#5916 )
fix compare button on upstream repo leading to 404 (#5877 ) (#5914 )
2025-08-10 20:41:48 +02:00 · 2019-01-31 11:11:25 -05:00 · 2019-01-31 10:07:57 -05:00 · 2019-01-31 09:55:39 -05:00 · 2019-01-31 09:38:01 -05:00 · 2019-01-31 13:36:10 +00:00
1510 changed files with 281868 additions and 61084 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -67,7 +67,7 @@ pipeline:
    image: golang:1.11
    pull: true
    environment:
-      TAGS: bindata sqlite
+      TAGS: bindata sqlite sqlite_unlock_notify
    commands:
      - make clean
      - make generate
@@ -87,7 +87,7 @@ pipeline:
    pull: true
    group: test
    environment:
-      TAGS: bindata sqlite
+      TAGS: bindata sqlite sqlite_unlock_notify
    commands:
      - make unit-test-coverage
    when:
@@ -99,7 +99,7 @@ pipeline:
    pull: true
    group: test
    environment:
-      TAGS: bindata sqlite
+      TAGS: bindata sqlite sqlite_unlock_notify
    commands:
      - make test
    when:
@@ -117,17 +117,19 @@ pipeline:
    when:
      event: [ tag ]

-  # Commented until db locking have been resolved!
-  # test-sqlite:
-  #   image: golang:1.10
-  #   pull: true
-  #   group: test
-  #   environment:
-  #     TAGS: bindata
-  #   commands:
-  #     - make test-sqlite
-  #   when:
-  #     event: [ push, tag, pull_request ]
+  test-sqlite:
+    image: golang:1.11
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.sqlite.test)' | sh)) &
+      - make test-sqlite
+    when:
+      event: [ push, tag, pull_request ]

  test-mysql:
    image: golang:1.11
@@ -154,6 +156,7 @@ pipeline:
    commands:
      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.test)' | sh)) &
      - make test-mysql
    when:
      event: [ tag ]
@@ -168,10 +171,25 @@ pipeline:
    commands:
      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
      - apt-get install -y git-lfs
+      - (sleep 1200 && (echo 'kill -ABRT $(pidof gitea) $(pidof integrations.test)' | sh)) &
      - make test-pgsql
    when:
      event: [ push, tag, pull_request ]

+  test-mssql:
+    image: golang:1.11
+    pull: true
+    group: test
+    environment:
+      TAGS: bindata
+      TEST_LDAP: "1"
+    commands:
+      - curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash
+      - apt-get install -y git-lfs
+      - make test-mssql
+    when:
+      event: [ push, tag, pull_request ]
+
  generate-coverage:
    image: golang:1.11
    pull: true
@@ -196,7 +214,7 @@ pipeline:
    image: karalabe/xgo-latest:latest
    pull: true
    environment:
-      TAGS: bindata sqlite
+      TAGS: bindata sqlite sqlite_unlock_notify
    commands:
      - export PATH=$PATH:$GOPATH/bin
      - make release
@@ -258,6 +276,7 @@ pipeline:
    pull: true
    secrets: [ aws_access_key_id, aws_secret_access_key ]
    bucket: releases
+    acl: public-read
    endpoint: https://storage.gitea.io
    path_style: true
    strip_prefix: dist/release/
@@ -271,6 +290,7 @@ pipeline:
    pull: true
    secrets: [ aws_access_key_id, aws_secret_access_key ]
    bucket: releases
+    acl: public-read
    endpoint: https://storage.gitea.io
    path_style: true
    strip_prefix: dist/release/
@@ -285,6 +305,7 @@ pipeline:
    pull: true
    secrets: [ aws_access_key_id, aws_secret_access_key ]
    bucket: releases
+    acl: public-read
    endpoint: https://storage.gitea.io
    path_style: true
    strip_prefix: dist/release/
@@ -340,6 +361,15 @@ services:
    when:
      event: [ push, tag, pull_request ]

+  mssql:
+    image: microsoft/mssql-server-linux:latest
+    environment:
+      - ACCEPT_EULA=Y
+      - SA_PASSWORD=MwantsaSecurePassword1
+      - MSSQL_PID=Standard
+    when:
+      event: [ push, tag, pull_request ]
+
  ldap:
    image: gitea/test-openldap:latest
    when:
--- a/.github/stale.yml
+++ b/.github/stale.yml
@@ -0,0 +1,52 @@
+# Configuration for probot-stale - https://github.com/probot/stale
+
+# Number of days of inactivity before an Issue or Pull Request becomes stale
+daysUntilStale: 60
+
+# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
+# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
+daysUntilClose: 14
+
+# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
+exemptLabels:
+  - status/blocked 
+  - kind/security 
+  - lgtm/done
+  - reviewed/confirmed
+  - priority/critical
+  - kind/proposal
+
+# Set to true to ignore issues in a project (defaults to false)
+exemptProjects: false
+
+# Set to true to ignore issues in a milestone (defaults to false)
+exemptMilestones: false
+
+# Label to use when marking as stale
+staleLabel: stale
+
+# Comment to post when marking as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you
+  for your contributions.
+
+# Comment to post when closing a stale Issue or Pull Request.
+closeComment: >
+  This issue has been automatically closed because of inactivity.
+  You can re-open it if needed.
+
+# Limit the number of actions per hour, from 1-30. Default is 30
+limitPerRun: 1
+
+# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
+pulls:
+  daysUntilStale: 60
+  markComment: >
+    This pull request has been automatically marked as stale because it has not had
+    recent activity. It will be closed if no further activity occurs during the next 2 months. Thank you
+    for your contributions.
+  closeComment: >
+    This pull request has been automatically closed because of inactivity.
+    You can re-open it if needed.
+
--- a/.gitignore
+++ b/.gitignore
@@ -53,11 +53,14 @@ coverage.all
 /integrations/gitea-integration-mysql
 /integrations/gitea-integration-pgsql
 /integrations/gitea-integration-sqlite
+/integrations/gitea-integration-mssql
 /integrations/indexers-mysql
 /integrations/indexers-pgsql
 /integrations/indexers-sqlite
+/integrations/indexers-mssql
 /integrations/mysql.ini
 /integrations/pgsql.ini
+/integrations/mssql.ini
 /node_modules


--- a/.revive.toml
+++ b/.revive.toml
@@ -0,0 +1,25 @@
+ignoreGeneratedHeader = false
+severity = "warning"
+confidence = 0.8
+errorCode = 1
+warningCode = 1
+
+[rule.blank-imports]
+[rule.context-as-argument]
+[rule.context-keys-type]
+[rule.dot-imports]
+[rule.error-return]
+[rule.error-strings]
+[rule.error-naming]
+[rule.exported]
+[rule.if-return]
+[rule.increment-decrement]
+[rule.var-naming]
+[rule.var-declaration]
+[rule.package-comments]
+[rule.range]
+[rule.receiver-naming]
+[rule.time-naming]
+[rule.unexported-return]
+[rule.indent-error-flow]
+[rule.errorf]
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,12 +4,232 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

-## [1.6.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.6.0-rc1) - 2018-10-17
+## [1.7.1](https://github.com/go-gitea/gitea/releases/tag/v1.7.1) - 2019-01-31
+* SECURITY
+  * Disable redirect for i18n (#5910) (#5916)
+  * Only allow local login if password is non-empty (#5906) (#5908)
+  * Fix go-get URL generation (#5905) (#5907)
+* BUGFIXES
+  * Fix TLS errors when using acme/autocert for local connections (#5820) (#5826)
+  * Request for public keys only if LDAP attribute is set (#5816) (#5819)
+  * Fix delete correct temp directory (#5840) (#5839)
+  * Fix an error while adding a dependency via UI (#5862) (#5876)
+  * Fix null pointer in attempt to Sudo if not logged in (#5872) (#5884)
+  * When creating new repository fsck option should be enabled (#5817) (#5885)
+  * Prevent nil dereference in mailIssueCommentToParticipants (#5891) (#5895) (#5894)
+  * Fix bug when read public repo lfs file (#5913) (#5912)
+  * Respect value of REQUIRE_SIGNIN_VIEW (#5901) (#5915)
+  * Fix compare button on upstream repo leading to 404 (#5877) (#5914)
+* DOCS
+  * Added docs for the tree api (#5835)
+* MISC
+  * Include Go toolchain to --version (#5832) (#5830)
+
+## [1.7.0](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-22
+* SECURITY
+  * Do not display the raw OpenID error in the UI (#5705) (#5712)
+  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5679)
+  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
+* BREAKING
+  * Restrict permission check on repositories and fix some problems (#5314)
+  * Show only opened milestones on issues page milestone filter (#5051)
+* FEATURE
+  * Implement git refs API for listing references (branches, tags and other) (#5354)
+  * Approvals at Branch Protection (#5350)
+  * Add raw blob endpoint to get objects by SHA ID (#5334)
+  * Add api for user to create org (#5268)
+  * Create AuthorizedKeysCommand (#5236)
+  * User action heatmap (#5131)
+  * Refactor heatmap to vue component (#5401)
+  * Webhook for Pull Request approval/rejection (#5027)
+  * Add command for migrating database (#4954)
+  * Search keyword by splitting provided values by , (#4939)
+  * Create Progressive Web App (#4730)
+  * Give user a link to create PR after push (#4716)
+  * Add rebase with merge commit merge style (#3844) (#4052)
+* BUGFIXES
+  * Disallow empty titles (#5785) (#5794) 
+  * Fix sqlite deadlock when assigning to a PR (#5640) (#5642)
+  * Don't close issues via commits on non-default branch. (#5622) (#5643)
+  * Fix commit page showing status for current default branch (#5650) (#5653)
+  * Only count users own actions for heatmap contributions (#5647) (#5655)
+  * Update xorm to fix issue postgresql dumping issues (#5680) (#5692)
+  * Use correct value for "MSpan Structures Obtained" (#5706) (#5716)
+  * Fix bug on modifying sshd username (#5624)
+  * Delete tags in mirror which are removed for original repo. (#5609)
+  * Fix wrong text getting saved on editing second comment on an issue. (#5608)
+  * Fix nil pointer when adding a due date  (#5587)
+  * Fix type mismatch of format string (#5574)
+  * Fix bug on upload file name (#5571)
+  * Issue is not overdue when it is on the same date #5566 (#5568)
+  * Fix indexer reindex bug when gitea restart (#5563)
+  * Fix table name typo on SQL (#5562)
+  * Synchronize SSH keys on login with LDAP + Fix SQLite deadlock on ldap ssh key deletion (#5557)
+  * Fix makefile generate buildstep (#5556)
+  * Fix nil pointer base branch bug (#5555)
+  * Fix permission check on api create org (#5523)
+  * Fix detect force push failure on deletion of protected branches (#5522)
+  * Fix approvals limitation (#5521)
+  * Fix bug when a read perm user to edit his issue (#5516)
+  * Fix adding reaction fail for read permission user (#5515)
+  * Fixing MSSQL timestamp type (#5511)
+  * Fix forgot deletion of notification when delete repository (#5506)
+  * Fix empty wiki (#5504)
+  * Fix clone wiki failed via ssh (#5503)
+  * Fix code review on mssql (#5502)
+  * Fix lfs version check warning log when using ssh protocol (#5501)
+  * Fix topic name length on database (#5493)
+  * Ensure that the `closed_at` is set for closed issues (#5449)
+  * Admin should be able to delete repos via the API even if he is not a member of the organization (#5443)
+  * Word-Break the WebHook url to prevent a ui-break (#5432)
+  * Fix forgot removed records when deleting user (#5429)
+  * Fix repository deletion when there is large number of issues in it (#5426)
+  * Fix heatmap colors for Chrome/Safari (#5421)
+  * Fix password variable shadowing (#5405)
+  * Fix dependent issue searching when gitea is run in subpath (#5392)
+  * Don't force a password change for the admin user when creating an account via cli (#5391)
+  * API: '/orgs/:org/repos': return private repos with read access (#5383)
+  * Don't send assign webhooks when creating issue (#5365)
+  * Removing Labels via EditPullRequest API (#5348)
+  * Migration fixes for gogs (0.11.66) to gitea (1.6.0) #5318 (#5341)
+  * Fix bug when users have serval teams with different units on different repositories (#5307)
+  * Fix U2F if gitea is configured in subpath (#5302)
+  * Fix file edit change preview functionality (#5300)
+  * Update gitignore list (#5258)
+  * Fixed heatmap not working in mssql (#5248)
+  * Fixed wrong api request url for instances running in subfolders (#5247)
+  * Fix compatibility heatmap with mysql 8 (#5232)
+  * Fix data race on migrate repository (#5224)
+  * Fix sqlite and mssql lock (#5214)
+  * Fix sqlite lock (#5210)
+  * Fix: Accept web-command cli flags if web-command is commited (#5200)
+  * Fix: Add secret to all webhook's payload where it has been missing (#5199)
+  * Fix race on updatesize (#5190)
+  * Fix create team, update team missing units (#5188)
+  * Fix sqlite lock (#5184 & #5176)
+  * Fix showing pull request link when delete a branch (#5166)
+  * Fix JSON result of empty array in heatmap data array (#5154)
+  * Update build tags for sqlite_unlock notify (#5144)
+  * This commit will reduce join star, repo_topic, topic tables on repo search, so that fix extra columns problem on mssql (#5136)
+  * Fix deadlock when sqlite (#5118)
+  * Add comment replies (#5104)
+  * Fix home page template regression (#5102)
+  * Fix regex to support optional end line of old section in diff hunk (#5096)
+  * LDAP via simple auth separate bind user and search base (#5055)
+  * Fix markdown image with link (#4675)
+  * Fix to 3819 - Filtering issues by tags on main screen issues (#3824)
+* ENHANCEMENT
+  * Delete organization endpoint added (#5601)
+  * Update Licenses (#5558)
+  * Support reverse proxy providing email (#5554)
+  * Add git protocol v2 support via SSH on Docker image (#5520)
+  * Add tests for api user orgs (#5494)
+  * Allow link verification for services like Mastodon (#5481)
+  * Improve team members and repositories settings UI (#5457)
+  * Remove the required class from optional ssh port in installation page (#5428)
+  * Explicitly disable Git credential helper (#5367)
+  * Setting Labels via EditPullRequest API (#5347)
+  * Implement pasting image from clipboard for browsers that supports that (#5317)
+  * Milestone issues and pull requests (#5293)
+  * Support envs on external render commands (#5278)
+  * Add option to disable automatic mirror syncing. (#5242)
+  * Remove unused db init on commands serv, update, hooks (#5225)
+  * Serve audio files using HTML5 audio tag (#5221)
+  * Pass link prefixes to external markup parsers (#5201)
+  * Add AutoHead functionality. (#5186)
+  * Fix emojis not showing in commit messages (#5168)
+  * Block registration based on email domain (#5157)
+  * Update vendor/go-sqlite3 (#5133 & #5162)
+  * Update x/net lib (#5169)
+  * Show review summary in pull requests (#5132)
+  * Use type switch (#5122)
+  * Remove duplicated if bodies (#5121)
+  * Remove check for negative length (#5120)
+  * Make switch more clear (#5119)
+  * Use named const instead of a raw string (#5115)
+  * Fix issue where ecdsa and other key types are not synced from LDAP (#5092) (#5094)
+  * Refactor: err != nil check, just return error instead (#5093)
+  * Add notification interface and refactor UI notifications (#5085)
+  * Use APP_NAME on home page (#5048)
+  * Explicitly decide whether to  use TLS in mailer's configuration (#5024)
+  * Generate random password (#5023)
+  * UX of link account (Step 1) (#5006)
+  * Make sure argsSet verifies string isn't empty too (#4980)
+  * Improve performance of dashboard (#4977)
+  * Keys API changes (#4960)
+  * Add must-change-password flag to cli for creating a user (#4955)
+  * Use native go method to get current user rather than environment variable (#4930)
+  * Make gitea serv use api/internal (#4886)
+  * Add support for search by uid (#4876)
+  * Allow to add organization members as collaborators on organization owned repositories (#4748)
+* TESTING
+  * Kill testing processes if the test takes too long (#5174)
+  * Update outdated Go toolchain version for .drone.yml (#5146)
+  * Increase the retry limit to 20 times and the interval to 200ms (#5134)
+  * Retry test-fixtures loading in case of transaction rollback (#5125)
+  * Added test environment for mssql (#4282)
+* BUILD
+  * Replace lint to revive (#5422)
+  * Update golang version in Dockerfile (#5246)
+* DOCS
+  * Typo in routers/api/v1/org/org.go fixed. (#5598)
+  * Update the docs for sqlite_unlock_notify (#5145)
+  * CN translation of docs part (#5049)
+  * Kubernetes deployment file (#5046)
+* MISC
+  * Upgrade alpine to 3.8 (#5423)
+  * Git-Trees API (#5403)
+  * Only chown directories during docker setup if necessary. Fix #4425 (#5064)
+
+## [1.6.4](https://github.com/go-gitea/gitea/releases/tag/v1.6.4) - 2019-01-15
+* BUGFIX
+  * Fix SSH key now can be reused as public key after deleting as deploy key (#5671) (#5685)
+  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5703)
+  * Fix to use correct value for "MSpan Structures Obtained" (#5706) (#5715)
+
+## [1.6.3](https://github.com/go-gitea/gitea/releases/tag/v1.6.3) - 2019-01-04
+* SECURITY
+  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
+* BUGFIX
+  * Fix wrong text getting saved on editing second comment on an issue (#5608)
+
+## [1.6.2](https://github.com/go-gitea/gitea/releases/tag/v1.6.2) - 2018-12-21
+* SECURITY
+  * Sanitize uploaded file names (#5571) (#5573)
+  * HTMLEncode user added text (#5570) (#5575)
+* BUGFIXES
+  * Fix indexer reindex bug when gitea restart (#5563) (#5564)
+  * Remove a double slash in the HTTPS redirect with Let's Encrypt (#5537) (#5539)
+  * Fix bug when a read perm user to edit his issue (#5516) (#5534)
+  * Detect force push failure on deletion of protected branches (#5522) (#5531)
+  * Let's Encrypt handler listens on correct port for certificate validation (#5525) (#5527)
+  * Fix forgot deletion of notification when delete repository (#5506) (#5514)
+  * Fix undeleted content when deleting user (#5429) (#5509)
+  * Fix empty wiki (#5504) (#5508)
+
+## [1.6.1](https://github.com/go-gitea/gitea/releases/tag/v1.6.1) - 2018-12-08
+* BUGFIXES
+  * Fix dependent issue searching when gitea is run in subpath (#5392) (#5400)
+  * API: '/orgs/:org/repos': return private repos with read access (#5393)
+  * Fix repository deletion when there is large number of issues in it (#5426) (#5434)
+  * Word-break the WebHook url to prevent a ui-break (#5445)
+  * Admin should be able to delete repos via the API even if they are not a member of the organization (#5443) (#5447)
+  * Ensure that the `closed_at` is set for closed (#5450)
+  * Fix topic name length on database (#5493) (#5495)
+
+## [1.6.0](https://github.com/go-gitea/gitea/releases/tag/v1.6.0) - 2018-11-22
 * BREAKING
  * Respect email privacy option in user search via API (#4512)
  * Simply remove tidb and deps (#3993)
  * Swagger.v1.json template (#3572)
+* SECURITY
+  * Add CSRF checking to reqToken and add reqToken to admin API routes (#5272) (#5250)
+  * Improve URL validation for external wiki  and external issues (#4710)
+  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)
+  * Don't disclose emails of all users when sending out emails (#4664)
+  * Check that repositories can only be migrated to own user or organizations (#4366)
 * FEATURE
+  * Add comment replies (#5147) (#5104)
  * Pull request review/approval and comment on code (#3748)
  * Added dependencies for issues (#2196) (#2531)
  * Add the ability to have built in themes in Gitea and provide dark theme arc-green (#4198)
@@ -21,63 +241,6 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Add push webhook support for mirrored repositories (#4127)
  * Add csv file render support defaultly (#4105)
  * Add Recaptcha functionality to Gitea (#4044)
-* BUGFIXES
-  * Fix release creation via API (#5076)
-  * Remove links from topics in edit mode  (#5026)
-  * Fix missing AppSubUrl in few more templates (fixup) (#5021)
-  * Fix missing AppSubUrl in some templates (#5020)
-  * Hide outdated comments in file view (#5017)
-  * Upgrade gopkg.in/testfixtures.v2 (#4999)
-  * Disable debug routes unless PPROF is enabled in configuration (#4995)
-  * Fix user menu item styling (#4985)
-  * Fix layout of the topics editing form (#4971)
-  * Fix null pointer dereference in ParseCommitWithSignature (#4962)
-  * Fix url in discord webhook (#4953)
-  * Detect charset and convert non UTF-8 files for display (#4950)
-  * Make sure to catch the right error so it is displayed on the UI (#4945)
-  * Fix(topics): don't redirect to explore page. (#4938)
-  * Fix bug forget to remove Stopwatch when remove repository (#4928)
-  * Fix bug when repo remained bare if multiple branches pushed in single push (#4923)
-  * Fix: Let's Encrypt configuration settings (#4911)
-  * Fix: Crippled diff (#4726) (#4900)
-  * Fix trimming of markup section names (#4863)
-  * Issues api allow pulls and fix #4832 (#4852)
-  * Do not autocreate directory for new users/orgs (#4828) (#4849)
-  * Fix redirect with non-ascii branch names (#4764) (#4810)
-  * Fix missing release title in webhook (#4783) (#4796)
-  * User shouldn't be able to approve or reject his/her own PR (#4729)
-  * Make sure to reset commit count in the cache on mirror syncing (#4720)
-  * Fixed bug where team with admin privelege type doesn't get any unit  (#4719)
-  * Fix incorrect caption of webhook setting (#4701) (#4717)
-  * Allow WIP marker to contains < or > (#4709)
-  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4680)
-  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645)
-  * Fix custom templates being ignored (#4638)
-  * Fix starring icon after semantic ui update (#4628)
-  * Fix Split-View line adjustment (#4622)
-  * Fix integer constant overflows in tests (#4616)
-  * Push whitelist now doesn't apply to branch deletion (#4601) (#4607)
-  * Fix bugs when too many IN variables (#4594)
-  * Fix failure on creating pull request with assignees (#4419) (#4583)
-  * Fix panic issue on update avatar email (#4580) (#4581)
-  * Fix status code label for a successful webhook (#4540)
-  * An inactive user shouldn't be able to be added as a collaborator (#4535)
-  * Don't fail silently if trying to add a collaborator twice (#4533)
-  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519) (#4525)
-  * Fix out-of-transaction query in removeOrgUser (#4521) (#4522)
-  * Fix migration from older releases (#4495)
-  * Accept 'Data:' in commit graph (#4487)
-  * Update xorm to latest version and fix correct `user` table referencing in sql (#4473)
-  * Relative URLs for LibreJS page (#4460)
-  * Redirect to correct page after using scratch token (#4458)
-  * Fix column droping for MSSQL that need new transaction for that (#4440)
-  * Replace src with raw to fix image paths (#4377)
-  * Add default merge options when creating new repository (#4369)
-  * Fix docker build (#4358)
-  * Fixes repo membership check in API (#4341)
-  * Dep upgrade mysql lib (#4161)
-  * Fix some issues with special chars in branch names (#3767)
-  * Responsive design fixes (#4508)
 * ENHANCEMENT
  * Fix milestones sorted wrongly (#4987)
  * Allow api to create tags for releases if they don't exist (#4890)
@@ -130,15 +293,87 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Added front-end topics validation (#4316)
  * Don't display buttons if there are no system notifications (#4280)
  * Issue due date api (#3890)
-* SECURITY
-  * Improve URL validation for external wiki  and external issues (#4710)
-  * Make cookies HttpOnly and obey COOKIE_SECURE flag (#4706)
-  * Don't disclose emails of all users when sending out emails (#4664)
-  * Check that repositories can only be migrated to own user or organizations (#4366)
+* BUGFIXES
+  * dont' send assign webhooks when creating issue (#5365)
+  * Fix create team, update team missing units (#5188)
+  * Fix file edit change preview functionality (#5300)
+  * *ix bug when users have serval teams with different units on different repositories (#5307)
+  * Fix U2F if gitea is configured in subpath (#5302)
+  * Fix markdown image with link (#4675)
+  * Remove maxlines option for file logger (#5282)
+  * Fix wrong api request url for instances running in subfolders (#5261) (#5247)
+  * Accept web-command cli flags if web-command is commited (#5245) (#5200)
+  * Reduce join star, repo_topic, topic tables on repo search, to resolve extra columns problem on MSSQL (#5136) (#5229)
+  * Fix data race on migrate repository (#5224) (#5230)
+  * Add secret to all webhook's payload where it has been missing (#5208) (#5199)
+  * Fix sqlite and MSSQL lock (#5210) (#5223) (#5214) (#5218) (#5176) (#5179)
+  * Fix race on updatesize (#5190) (#5215)
+  * Fix filtering issues by tags on main screen issues (#5219) (#3824)
+  * Fix SQL quoting (#5137) (#5117)
+  * Fix regex to support optional end line of old section in diff hunk (#5097) (#5096)
+  * Fix release creation via API (#5076)
+  * Remove links from topics in edit mode  (#5026)
+  * Fix missing AppSubUrl in few more templates (fixup) (#5021)
+  * Fix missing AppSubUrl in some templates (#5020)
+  * Hide outdated comments in file view (#5017)
+  * Upgrade gopkg.in/testfixtures.v2 (#4999)
+  * Disable debug routes unless PPROF is enabled in configuration (#4995)
+  * Fix user menu item styling (#4985)
+  * Fix layout of the topics editing form (#4971)
+  * Fix null pointer dereference in ParseCommitWithSignature (#4962)
+  * Fix url in discord webhook (#4953)
+  * Detect charset and convert non UTF-8 files for display (#4950)
+  * Make sure to catch the right error so it is displayed on the UI (#4945)
+  * Fix(topics): don't redirect to explore page. (#4938)
+  * Fix bug forget to remove Stopwatch when remove repository (#4928)
+  * Fix bug when repo remained bare if multiple branches pushed in single push (#4923)
+  * Fix: Crippled diff (#4726) (#4900)
+  * Fix trimming of markup section names (#4863)
+  * Issues api allow pulls and fix #4832 (#4852)
+  * Do not autocreate directory for new users/orgs (#4828) (#4849)
+  * Fix redirect with non-ascii branch names (#4764) (#4810)
+  * Fix missing release title in webhook (#4783) (#4796)
+  * User shouldn't be able to approve or reject his/her own PR (#4729)
+  * Make sure to reset commit count in the cache on mirror syncing (#4720)
+  * Fixed bug where team with admin privelege type doesn't get any unit  (#4719)
+  * Fix incorrect caption of webhook setting (#4701) (#4717)
+  * Allow WIP marker to contains < or > (#4709)
+  * Hide org/create menu item in Dashboard if user has no rights (#4678) (#4680)
+  * Site admin could create repos even MAX_CREATION_LIMIT=0 (#4645)
+  * Fix custom templates being ignored (#4638)
+  * Fix starring icon after semantic ui update (#4628)
+  * Fix Split-View line adjustment (#4622)
+  * Fix integer constant overflows in tests (#4616)
+  * Push whitelist now doesn't apply to branch deletion (#4601) (#4607)
+  * Fix bugs when too many IN variables (#4594)
+  * Fix failure on creating pull request with assignees (#4419) (#4583)
+  * Fix panic issue on update avatar email (#4580) (#4581)
+  * Fix status code label for a successful webhook (#4540)
+  * An inactive user shouldn't be able to be added as a collaborator (#4535)
+  * Don't fail silently if trying to add a collaborator twice (#4533)
+  * Fix incorrect MergeWhitelistTeamIDs check in CanUserMerge function (#4519) (#4525)
+  * Fix out-of-transaction query in removeOrgUser (#4521) (#4522)
+  * Fix migration from older releases (#4495)
+  * Accept 'Data:' in commit graph (#4487)
+  * Update xorm to latest version and fix correct `user` table referencing in sql (#4473)
+  * Relative URLs for LibreJS page (#4460)
+  * Redirect to correct page after using scratch token (#4458)
+  * Fix column droping for MSSQL that need new transaction for that (#4440)
+  * Replace src with raw to fix image paths (#4377)
+  * Add default merge options when creating new repository (#4369)
+  * Fix docker build (#4358)
+  * Fixes repo membership check in API (#4341)
+  * Dep upgrade mysql lib (#4161)
+  * Fix some issues with special chars in branch names (#3767)
+  * Responsive design fixes (#4508)
 * TRANSLATION
  * Fix punctuation in English translation (#4958)
  * Fix translation (#4355)

+## [1.5.3](https://github.com/go-gitea/gitea/releases/tag/v1.5.3) - 2018-10-31
+* SECURITY
+  * Fix remote command execution vulnerability in upstream library (#5177) (#5196)
+
 ## [1.5.2](https://github.com/go-gitea/gitea/releases/tag/v1.5.2) - 2018-10-09
 * SECURITY
  * Enforce token on api routes (#4840) (#4905)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -244,6 +244,11 @@ they served:
  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
  * [Kim Carlbäcker](https://github.com/bkcsoft) <kim.carlbacker@gmail.com>

+* 2019-01-01 ~ 2019-12-31
+  * [Lunny Xiao](https://github.com/lunny) <xiaolunwen@gmail.com>
+  * [Lauris Bukšis-Haberkorns](https://github.com/lafriks) <lauris@nix.lv>
+  * [Matti Ranta](https://github.com/techknowlogick) <matti@mdranta.net>
+
 ## Versions

 Gitea has the `master` branch as a tip branch and has version branches
@@ -275,7 +280,7 @@ be reviewed by two maintainers and must pass the automatic tests.
 Code that you contribute should use the standard copyright header:

 ```
-// Copyright 2018 The Gitea Authors. All rights reserved.
+// Copyright 2019 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 ```
--- a/6
+++ b/6
@@ -1,10 +1,10 @@

 ###################################
 #Build stage
-FROM golang:1.10-alpine3.7 AS build-env
+FROM golang:1.11-alpine3.8 AS build-env

 ARG GITEA_VERSION
-ARG TAGS="sqlite"
+ARG TAGS="sqlite sqlite_unlock_notify"
 ENV TAGS "bindata $TAGS"

 #Build deps
@@ -18,7 +18,7 @@ WORKDIR ${GOPATH}/src/code.gitea.io/gitea
 RUN if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi \
 && make clean generate build

-FROM alpine:3.7
+FROM alpine:3.8
 LABEL maintainer="maintainers@gitea.io"

 EXPOSE 22 3000
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -3,19 +3,19 @@

 [[projects]]
  branch = "master"
-  digest = "1:835585f8450b4ec12252d032b0f13e6571ecf846e49076f69067f2503a7c1e07"
+  digest = "1:ab875622908a804a327a95a1701002b150806a3c5406df51ec231eac16d3a1ca"
  name = "code.gitea.io/git"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "6ef79e80b3b06ca13a1f3a7b940903ebc73b44cb"
+  revision = "389d3c803e12a30dffcbb54a15c2242521bc4333"

 [[projects]]
  branch = "master"
-  digest = "1:5e7f14543006a44047fb1d0df16da08b2ebc2428f1fd53bd8af26a2b34928b11"
+  digest = "1:aed2bc1c4026233af8ad43cab9d9464a0e3b906d3d058d2d6e814f3e1ddfa528"
  name = "code.gitea.io/sdk"
  packages = ["gitea"]
  pruneopts = "NUT"
-  revision = "021567c9c12fe289b8980c34e81e6684434dd082"
+  revision = "d95a6e0392218961d1bdd18020290a20bd61b063"

 [[projects]]
  digest = "1:3fcef06a1a6561955c94af6c7757a6fa37605eb653f0d06ab960e5bb80092195"
@@ -82,7 +82,15 @@
  revision = "349dd0209470eabd9514242c688c403c0926d266"

 [[projects]]
-  digest = "1:67351095005f164e748a5a21899d1403b03878cb2d40a7b0f742376e6eeda974"
+  branch = "master"
+  digest = "1:707ebe952a8b3d00b343c01536c79c73771d100f63ec6babeaed5c79e2b8a8dd"
+  name = "github.com/beorn7/perks"
+  packages = ["quantile"]
+  pruneopts = "NUT"
+  revision = "3a771d992973f24aa725d07868b467d1ddfceafb"
+
+[[projects]]
+  digest = "1:c10f35be6200b09e26da267ca80f837315093ecaba27e7a223071380efb9dd32"
  name = "github.com/blevesearch/bleve"
  packages = [
    ".",
@@ -127,7 +135,7 @@
    "search/searcher",
  ]
  pruneopts = "NUT"
-  revision = "ff210fbc6d348ad67aa5754eaea11a463fcddafd"
+  revision = "c74e08f039e56cef576e4336382b2a2d12d9e026"

 [[projects]]
  branch = "master"
@@ -226,6 +234,21 @@
  pruneopts = "NUT"
  revision = "57eb5e1fc594ad4b0b1dbea7b286d299e0cb43c2"

+[[projects]]
+  digest = "1:b498b36dbb2b306d1c5205ee5236c9e60352be8f9eea9bf08186723a9f75b4f3"
+  name = "github.com/emirpasic/gods"
+  packages = [
+    "containers",
+    "lists",
+    "lists/arraylist",
+    "trees",
+    "trees/binaryheap",
+    "utils",
+  ]
+  pruneopts = "NUT"
+  revision = "1615341f118ae12f353cc8a983f35b584342c9b3"
+  version = "v1.12.0"
+
 [[projects]]
  digest = "1:8603f74d35c93b37c615a02ba297be2cf2efc9ff6f1ff2b458a903990b568e48"
  name = "github.com/ethantkoenig/rupture"
@@ -342,14 +365,15 @@
  revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"

 [[projects]]
-  digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702"
+  branch = "master"
+  digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc"
  name = "github.com/go-macaron/session"
  packages = [
    ".",
    "redis",
  ]
  pruneopts = "NUT"
-  revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b"
+  revision = "330e4e4d8beb7b00111ac34539561f46f94c4458"

 [[projects]]
  digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"
@@ -366,12 +390,12 @@
  revision = "d523deb1b23d913de5bdada721a6071e71283618"

 [[projects]]
-  digest = "1:1397763fd29d5667bcfbacde8a37542ee145416b3acb7e1b149c98fef2567930"
+  digest = "1:06d21295033f211588d0ad7ff391cc1b27e72b60cb6d4b7db0d70cffae4cf228"
  name = "github.com/go-xorm/builder"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "dc8bf48f58fab2b4da338ffd25191905fd741b8f"
-  version = "v0.3.0"
+  revision = "03eb88feccce3e477c318ce7f6f1b386544ab20b"
+  version = "v0.3.3"

 [[projects]]
  digest = "1:c910feae32bcc3cbf068c7263424d9f198da931c0cad909179621835e6f87cb8"
@@ -382,11 +406,11 @@
  version = "v0.6.0"

 [[projects]]
-  digest = "1:22a1ac7f654095f6817076eb975368bab5481e42554d0121ea37e28a86a3f83d"
+  digest = "1:d366480c27ab51b3f7e995f25503063e7a6ebc7feb269df2499c33471f35cd62"
  name = "github.com/go-xorm/xorm"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "ad69f7d8f0861a29438154bb0a20b60501298480"
+  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"

 [[projects]]
  branch = "master"
@@ -404,11 +428,12 @@
  revision = "7f3990acf1833faa5ebd0e86f0a4c72a4b5eba3c"

 [[projects]]
-  digest = "1:b64f9be717fdab5f75122dc3868e8ca9d003779b6bc55f64f39a0cddc698bf88"
+  digest = "1:97df918963298c287643883209a2c3f642e6593379f97ab400c2a2e219ab647d"
  name = "github.com/golang/protobuf"
  packages = ["proto"]
  pruneopts = "NUT"
-  revision = "99511271042a09d1e01baea8781caa5210fec66e"
+  revision = "aa810b61a9c79d51363740d207bb46cf8e620ed5"
+  version = "v1.2.0"

 [[projects]]
  digest = "1:60e25fc5f5cfd7783f985ca99b4383e848981dddf0be584db7d809be20848e25"
@@ -462,6 +487,14 @@
  pruneopts = "NUT"
  revision = "8fb95d837f7d6db1913fecfd7bcc5333e6499596"

+[[projects]]
+  branch = "master"
+  digest = "1:62fe3a7ea2050ecbd753a71889026f83d73329337ada66325cbafd5dea5f713d"
+  name = "github.com/jbenet/go-context"
+  packages = ["io"]
+  pruneopts = "NUT"
+  revision = "d14ea06fba99483203c19d92cfcd13ebe73135f4"
+
 [[projects]]
  digest = "1:6342cf70eaae592f7b8e2552037f2a9d4d16fa321c6e36f09c3bc450add2de19"
  name = "github.com/kballard/go-shellquote"
@@ -469,6 +502,14 @@
  pruneopts = "NUT"
  revision = "cd60e84ee657ff3dc51de0b4f55dd299a3e136f2"

+[[projects]]
+  digest = "1:29e44e9481a689be0093a0033299b95741d394a97b28e0273c21afe697873a22"
+  name = "github.com/kevinburke/ssh_config"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "81db2a75821ed34e682567d48be488a1c3121088"
+  version = "0.5"
+
 [[projects]]
  digest = "1:b32126992771fddadf6a778fe7ab29150665ed78f31ce4eb550a9db3bc0e650c"
  name = "github.com/keybase/go-crypto"
@@ -547,7 +588,7 @@
  revision = "e3534c89ef969912856dfa39e56b09e58c5f5daf"

 [[projects]]
-  digest = "1:23f75ae90fcc38dac6fad6881006ea7d0f2c78db5f9f81f3df558dc91460e61f"
+  digest = "1:4b992ec853d0ea9bac3dcf09a64af61de1a392e6cb0eef2204c0c92f4ae6b911"
  name = "github.com/markbates/goth"
  packages = [
    ".",
@@ -562,15 +603,23 @@
    "providers/twitter",
  ]
  pruneopts = "NUT"
-  revision = "f9c6649ab984d6ea71ef1e13b7b1cdffcf4592d3"
-  version = "v1.46.1"
+  revision = "bc6d8ddf751a745f37ca5567dbbfc4157bbf5da9"
+  version = "v1.47.2"

 [[projects]]
-  digest = "1:3ef954101983406a71171c4dc816a73e01bb3de608b3dd063627aa67a459f3e3"
+  digest = "1:c9724c929d27a14475a45b17a267dbc60671c0bc2c5c05ed21f011f7b5bc9fb5"
  name = "github.com/mattn/go-sqlite3"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "acfa60124032040b9f5a9406f5a772ee16fe845e"
+  revision = "c7c4067b79cc51e6dfdcef5c702e74b1e0fa7c75"
+
+[[projects]]
+  digest = "1:5985ef4caf91ece5d54817c11ea25f182697534f8ae6521eadcd628c142ac4b6"
+  name = "github.com/matttproud/golang_protobuf_extensions"
+  packages = ["pbutil"]
+  pruneopts = "NUT"
+  revision = "c12348ce28de40eed0136aa2b644d0ee0650e56c"
+  version = "v1.0.1"

 [[projects]]
  branch = "master"
@@ -587,6 +636,14 @@
  pruneopts = "NUT"
  revision = "f77f16ffc87a6a58814e64ae72d55f9c41374e6d"

+[[projects]]
+  digest = "1:a4df73029d2c42fabcb6b41e327d2f87e685284ec03edf76921c267d9cfc9c23"
+  name = "github.com/mitchellh/go-homedir"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "ae18d6b8b3205b561c79e8e5f69bff09736185f4"
+  version = "v1.0.0"
+
 [[projects]]
  digest = "1:c7dc71a7e144df03332152d730f9c5ae22cf1cfd55454cb001ba8ffcb78aa7f0"
  name = "github.com/mrjones/oauth"
@@ -616,6 +673,14 @@
  pruneopts = "NUT"
  revision = "891127d8d1b52734debe1b3c3d7e747502b6c366"

+[[projects]]
+  digest = "1:cf254277d898b713195cc6b4a3fac8bf738b9f1121625df27843b52b267eec6c"
+  name = "github.com/pelletier/go-buffruneio"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "c37440a7cf42ac63b919c752ca73a85067e05992"
+  version = "v0.2.0"
+
 [[projects]]
  digest = "1:44c66ad69563dbe3f8e76d7d6cad21a03626e53f1875b5ab163ded419e01ca7a"
  name = "github.com/philhofer/fwd"
@@ -643,6 +708,51 @@
  pruneopts = "NUT"
  revision = "54653902c20e47f3417541d35435cb6d6162e28a"

+[[projects]]
+  digest = "1:aa2da1df3327c3a338bb42f978407c07de74cd0a5bef35e9411881dffd444214"
+  name = "github.com/prometheus/client_golang"
+  packages = [
+    "prometheus",
+    "prometheus/internal",
+    "prometheus/promhttp",
+  ]
+  pruneopts = "NUT"
+  revision = "1cafe34db7fdec6022e17e00e1c1ea501022f3e4"
+  version = "v0.9.0"
+
+[[projects]]
+  branch = "master"
+  digest = "1:2d5cd61daa5565187e1d96bae64dbbc6080dacf741448e9629c64fd93203b0d4"
+  name = "github.com/prometheus/client_model"
+  packages = ["go"]
+  pruneopts = "NUT"
+  revision = "5c3871d89910bfb32f5fcab2aa4b9ec68e65a99f"
+
+[[projects]]
+  branch = "master"
+  digest = "1:06375f3b602de9c99fa99b8484f0e949fd5273e6e9c6592b5a0dd4cd9085f3ea"
+  name = "github.com/prometheus/common"
+  packages = [
+    "expfmt",
+    "internal/bitbucket.org/ww/goautoneg",
+    "model",
+  ]
+  pruneopts = "NUT"
+  revision = "7e9e6cabbd393fc208072eedef99188d0ce788b6"
+
+[[projects]]
+  branch = "master"
+  digest = "1:102dea0c03a915acfc634b7c67f2662012b5483b56d9025e33f5188e112759b6"
+  name = "github.com/prometheus/procfs"
+  packages = [
+    ".",
+    "internal/util",
+    "nfs",
+    "xfs",
+  ]
+  pruneopts = "NUT"
+  revision = "185b4288413d2a0dd0806f78c90dde719829e5ae"
+
 [[projects]]
  branch = "master"
  digest = "1:5be01c22bc1040e2f6ce4755d51a0ac9cef823a9f2004fb1f9896a414ef519e6"
@@ -672,6 +782,19 @@
  pruneopts = "NUT"
  revision = "1dba4b3954bc059efc3991ec364f9f9a35f597d2"

+[[projects]]
+  digest = "1:89fd77d603a74a6540d60067debad9397865bf040955d907362c95d364baeba6"
+  name = "github.com/src-d/gcfg"
+  packages = [
+    ".",
+    "scanner",
+    "token",
+    "types",
+  ]
+  pruneopts = "NUT"
+  revision = "1ac3a1ac202429a54835fe8408a92880156b489d"
+  version = "v1.4.0"
+
 [[projects]]
  branch = "master"
  digest = "1:69177343ca227319b4580441a67d9d889e9ac7fcbfb89fbaa36d3283e6ab0139"
@@ -719,6 +842,14 @@
  pruneopts = "NUT"
  revision = "8ce1146b8621c95164efd9c8b1124cfa9b8afb4e"

+[[projects]]
+  digest = "1:3148cb3478c26a92b4c1a18abb9428234b281e278af6267840721a24b6cbc6a3"
+  name = "github.com/xanzy/ssh-agent"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "640f0ab560aeb89d523bb6ac322b1244d5c3796c"
+  version = "v0.2.0"
+
 [[projects]]
  digest = "1:27d050258a4b19ca3b7a1bf26f4a04c5c66bbf0670b346ee509ebb0ad82257a6"
  name = "github.com/yohcop/openid-go"
@@ -727,44 +858,56 @@
  revision = "2c050d2dae5345c417db301f11fda6fbf5ad0f0a"

 [[projects]]
-  digest = "1:e4ea859df4986eb46feebbb84a2d163a4a314e87668177ca13b3b0adecaf50e8"
+  digest = "1:c3d6b9e2cf3936ba9927da2e8858651aad69890b9dd3349f1316b4003b25d7a3"
  name = "golang.org/x/crypto"
  packages = [
    "acme",
    "acme/autocert",
+    "cast5",
    "curve25519",
    "ed25519",
    "ed25519/internal/edwards25519",
    "internal/chacha20",
    "md4",
+    "openpgp",
+    "openpgp/armor",
+    "openpgp/elgamal",
+    "openpgp/errors",
+    "openpgp/packet",
+    "openpgp/s2k",
    "pbkdf2",
    "poly1305",
    "ssh",
+    "ssh/agent",
+    "ssh/knownhosts",
  ]
  pruneopts = "NUT"
  revision = "12dd70caea0268ac0d6c2707d0611ef601e7c64e"

 [[projects]]
-  digest = "1:47ea747d07fae720d749d06ac5dc5ded0df70c57e328b6549cf2d9c64698757e"
+  branch = "master"
+  digest = "1:d0a0bdd2b64d981aa4e6a1ade90431d042cd7fa31b584e33d45e62cbfec43380"
  name = "golang.org/x/net"
  packages = [
    "context",
+    "context/ctxhttp",
    "html",
    "html/atom",
    "html/charset",
  ]
  pruneopts = "NUT"
-  revision = "f2499483f923065a842d38eb4c7f1927e6fc6e6d"
+  revision = "9b4f9f5ad5197c79fd623a3638e70d8b26cef344"

 [[projects]]
-  digest = "1:8159a9cda4b8810aaaeb0d60e2fa68e2fd86d8af4ec8f5059830839e3c8d93d5"
+  branch = "master"
+  digest = "1:274a6321a5a9f185eeb3fab5d7d8397e0e9f57737490d749f562c7e205ffbc2e"
  name = "golang.org/x/oauth2"
  packages = [
    ".",
    "internal",
  ]
  pruneopts = "NUT"
-  revision = "c10ba270aa0bf8b8c1c986e103859c67a9103061"
+  revision = "c453e0c757598fd055e170a3a359263c91e13153"

 [[projects]]
  digest = "1:9f303486d623f840492bfeb48eb906a94e9d3fe638a761639b72ce64bf7bfcc3"
@@ -774,7 +917,8 @@
  revision = "5a06fca2c336a4b2b2fcb45702e8c47621b2aa2c"

 [[projects]]
-  digest = "1:47495898c42062ace16d8046915b088e7c3846e77b997ec5a8a00ec552e179d5"
+  branch = "master"
+  digest = "1:030ca7763285f6cdec5684d7417faa2810d10a508b0220b1487cc876b5c00c35"
  name = "golang.org/x/sys"
  packages = [
    "unix",
@@ -782,7 +926,7 @@
    "windows/svc",
  ]
  pruneopts = "NUT"
-  revision = "a646d33e2ee3172a661fc09bca23bb4889a41bc8"
+  revision = "2772b66316d2c587efeb188dcd5ebc6987656e84"

 [[projects]]
  digest = "1:d2463fd72ee2636c3d9bbdb98fa4996a118f210ae3e5eaf62d281855bc0b4a83"
@@ -861,12 +1005,12 @@
  version = "v1.31.1"

 [[projects]]
-  digest = "1:01f4ac37c52bda6f7e1bd73680a99f88733c0408aaa159ecb1ba53a1ade9423c"
+  digest = "1:7e1c00b9959544fa1ccca7cf0407a5b29ac6d5201059c4fac6f599cb99bfd24d"
  name = "gopkg.in/ldap.v2"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "d0a5ced67b4dc310b9158d63a2c6f9c5ec13f105"
-  version = "v2.4.1"
+  revision = "bb7a9ca6e4fbc2129e3db588a34bc970ffe811a9"
+  version = "v2.5.1"

 [[projects]]
  digest = "1:cfe1730a152ff033ad7d9c115d22e36b19eec6d5928c06146b9119be45d39dc0"
@@ -884,6 +1028,69 @@
  revision = "e6179049628164864e6e84e973cfb56335748dea"
  version = "v2.3.2"

+[[projects]]
+  digest = "1:1cf1388ec8c73b7ecc711d9f279ab631ea0a6964d1ccc32809a6be90c33fa2a0"
+  name = "gopkg.in/src-d/go-billy.v4"
+  packages = [
+    ".",
+    "helper/chroot",
+    "helper/polyfill",
+    "osfs",
+    "util",
+  ]
+  pruneopts = "NUT"
+  revision = "982626487c60a5252e7d0b695ca23fb0fa2fd670"
+  version = "v4.3.0"
+
+[[projects]]
+  digest = "1:8a0efb153cc5b7e0e129d716834217be483e2b326e72f3dcca8b03cd3207e9e4"
+  name = "gopkg.in/src-d/go-git.v4"
+  packages = [
+    ".",
+    "config",
+    "internal/revision",
+    "plumbing",
+    "plumbing/cache",
+    "plumbing/filemode",
+    "plumbing/format/config",
+    "plumbing/format/diff",
+    "plumbing/format/gitignore",
+    "plumbing/format/idxfile",
+    "plumbing/format/index",
+    "plumbing/format/objfile",
+    "plumbing/format/packfile",
+    "plumbing/format/pktline",
+    "plumbing/object",
+    "plumbing/protocol/packp",
+    "plumbing/protocol/packp/capability",
+    "plumbing/protocol/packp/sideband",
+    "plumbing/revlist",
+    "plumbing/storer",
+    "plumbing/transport",
+    "plumbing/transport/client",
+    "plumbing/transport/file",
+    "plumbing/transport/git",
+    "plumbing/transport/http",
+    "plumbing/transport/internal/common",
+    "plumbing/transport/server",
+    "plumbing/transport/ssh",
+    "storage",
+    "storage/filesystem",
+    "storage/filesystem/dotgit",
+    "storage/memory",
+    "utils/binary",
+    "utils/diff",
+    "utils/ioutil",
+    "utils/merkletrie",
+    "utils/merkletrie/filesystem",
+    "utils/merkletrie/index",
+    "utils/merkletrie/internal/frame",
+    "utils/merkletrie/noder",
+  ]
+  pruneopts = "NUT"
+  revision = "f62cd8e3495579a8323455fa0c4e6c44bb0d5e09"
+  version = "v4.8.0"
+
 [[projects]]
  digest = "1:9c541fc507676a69ea8aaed1af53278a5241d26ce0f192c993fec2ac5b78f795"
  name = "gopkg.in/testfixtures.v2"
@@ -892,6 +1099,14 @@
  revision = "fa3fb89109b0b31957a5430cef3e93e535de362b"
  version = "v2.5.0"

+[[projects]]
+  digest = "1:b233ad4ec87ac916e7bf5e678e98a2cb9e8b52f6de6ad3e11834fc7a71b8e3bf"
+  name = "gopkg.in/warnings.v0"
+  packages = ["."]
+  pruneopts = "NUT"
+  revision = "ec4a0fea49c7b46c2aeb0b51aac55779c607e52b"
+  version = "v0.1.2"
+
 [[projects]]
  digest = "1:ad6f94355d292690137613735965bd3688844880fdab90eccf66321910344942"
  name = "gopkg.in/yaml.v2"
@@ -958,6 +1173,7 @@
    "github.com/keybase/go-crypto/openpgp",
    "github.com/keybase/go-crypto/openpgp/armor",
    "github.com/keybase/go-crypto/openpgp/packet",
+    "github.com/klauspost/compress/gzip",
    "github.com/lafriks/xormstore",
    "github.com/lib/pq",
    "github.com/lunny/dingtalk_webhook",
@@ -978,6 +1194,8 @@
    "github.com/nfnt/resize",
    "github.com/pquerna/otp",
    "github.com/pquerna/otp/totp",
+    "github.com/prometheus/client_golang/prometheus",
+    "github.com/prometheus/client_golang/prometheus/promhttp",
    "github.com/russross/blackfriday",
    "github.com/satori/go.uuid",
    "github.com/sergi/go-diff/diffmatchpatch",
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -14,12 +14,18 @@ ignored = ["google.golang.org/appengine*"]
  branch = "master"
  name = "code.gitea.io/sdk"

+[[constraint]]
+#  branch = "master"
+  revision = "c74e08f039e56cef576e4336382b2a2d12d9e026"
+  name = "github.com/blevesearch/bleve"
+#Not targetting v0.7.0 since standard where use only just after this tag
+
 [[constraint]]
  revision = "12dd70caea0268ac0d6c2707d0611ef601e7c64e"
  name = "golang.org/x/crypto"

 [[constraint]]
-  revision = "a646d33e2ee3172a661fc09bca23bb4889a41bc8"
+  branch = "master"
  name = "golang.org/x/sys"

 [[constraint]]
@@ -27,18 +33,25 @@ ignored = ["google.golang.org/appengine*"]
  name = "golang.org/x/text"

 [[constraint]]
-  revision = "f2499483f923065a842d38eb4c7f1927e6fc6e6d"
+  branch = "master"
  name = "golang.org/x/net"

 [[override]]
  name = "github.com/go-xorm/xorm"
-  #version = "0.6.5"
-  revision = "ad69f7d8f0861a29438154bb0a20b60501298480"
+  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"
+
+[[override]]
+  name = "github.com/go-xorm/builder"
+  version = "0.3.3"

 [[override]]
  name = "github.com/go-sql-driver/mysql"
  revision = "d523deb1b23d913de5bdada721a6071e71283618"

+[[override]]
+  name = "github.com/mattn/go-sqlite3"
+  revision = "c7c4067b79cc51e6dfdcef5c702e74b1e0fa7c75"
+
 [[override]]
  name = "github.com/gorilla/mux"
  revision = "757bef944d0f21880861c2dd9c871ca543023cba"
@@ -57,7 +70,7 @@ ignored = ["google.golang.org/appengine*"]

 [[constraint]]
  name = "github.com/markbates/goth"
-  version = "1.46.1"
+  version = "1.47.2"

 [[constraint]]
  branch = "master"
@@ -101,5 +114,9 @@ ignored = ["google.golang.org/appengine*"]
  source = "github.com/go-gitea/bolt"

 [[override]]
-  revision = "c10ba270aa0bf8b8c1c986e103859c67a9103061"
+  branch = "master"
  name = "golang.org/x/oauth2"
+
+[[constraint]]
+  name = "github.com/prometheus/client_golang"
+  version = "0.9.0"
--- a/6
+++ b/6
@@ -20,7 +20,9 @@ Jonas Östanbäck <jonas.ostanback@gmail.com> (@cez81)
 David Schneiderbauer <dschneiderbauer@gmail.com> (@daviian)
 Peter Žeby <morlinest@gmail.com> (@morlinest)
 Matti Ranta <matti@mdranta.net> (@techknowlogick)
-Michael Lustfield <mtecknology@debian.org> (@MTecknology)
-Jonas Franz <info@jonasfranz.software> (@JonasFranzDEV)
+Jonas Franz <info@jonasfranz.software> (@jonasfranz)
 Alexey Terentyev <axifnx@gmail.com> (@axifive)
 Lanre Adelowo <yo@lanre.wtf> (@adelowo)
+Konrad Langenberg <k@knt.li> (@kolaente)
+He-Long Zhang <outman99@hotmail.com> (@BetaCat0)
+Andrew Thornton <art27@cantab.net> (@zeripath)
--- a/35
+++ b/35
@@ -54,6 +54,10 @@ TEST_PGSQL_HOST ?= pgsql:5432
 TEST_PGSQL_DBNAME ?= testgitea
 TEST_PGSQL_USERNAME ?= postgres
 TEST_PGSQL_PASSWORD ?= postgres
+TEST_MSSQL_HOST ?= mssql:1433
+TEST_MSSQL_DBNAME ?= gitea
+TEST_MSSQL_USERNAME ?= sa
+TEST_MSSQL_PASSWORD ?= MwantsaSecurePassword1

 ifeq ($(OS), Windows_NT)
 	EXECUTABLE := gitea.exe
@@ -74,9 +78,9 @@ clean:
 	$(GO) clean -i ./...
 	rm -rf $(EXECUTABLE) $(DIST) $(BINDATA) \
 		integrations*.test \
-		integrations/gitea-integration-pgsql/ integrations/gitea-integration-mysql/ integrations/gitea-integration-sqlite/ \
-		integrations/indexers-mysql/ integrations/indexers-pgsql integrations/indexers-sqlite \
-		integrations/mysql.ini integrations/pgsql.ini
+		integrations/gitea-integration-pgsql/ integrations/gitea-integration-mysql/ integrations/gitea-integration-sqlite/ integrations/gitea-integration-mssql/ \
+		integrations/indexers-mysql/ integrations/indexers-pgsql integrations/indexers-sqlite integrations/indexers-mssql \
+		integrations/mysql.ini integrations/pgsql.ini integrations/mssql.ini

 .PHONY: fmt
 fmt:
@@ -89,7 +93,7 @@ vet:
 .PHONY: generate
 generate:
 	@hash go-bindata > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u github.com/jteeuwen/go-bindata/...; \
+		$(GO) get -u github.com/jteeuwen/go-bindata/go-bindata; \
 	fi
 	$(GO) generate $(PACKAGES)

@@ -128,10 +132,10 @@ errcheck:

 .PHONY: lint
 lint:
-	@hash golint > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GO) get -u golang.org/x/lint/golint; \
+	@hash revive > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GO) get -u github.com/mgechev/revive; \
 	fi
-	for PKG in $(PACKAGES); do golint -set_exit_status $$PKG || exit 1; done;
+	revive -config .revive.toml -exclude=./vendor/... ./... || exit 1

 .PHONY: misspell-check
 misspell-check:
@@ -159,7 +163,7 @@ fmt-check:

 .PHONY: test
 test:
-	$(GO) test -tags=sqlite $(PACKAGES)
+	$(GO) test -tags='sqlite sqlite_unlock_notify' $(PACKAGES)

 .PHONY: coverage
 coverage:
@@ -170,7 +174,7 @@ coverage:

 .PHONY: unit-test-coverage
 unit-test-coverage:
-	for PKG in $(PACKAGES); do $(GO) test -tags=sqlite -cover -coverprofile $$GOPATH/src/$$PKG/coverage.out $$PKG || exit 1; done;
+	for PKG in $(PACKAGES); do $(GO) test -tags='sqlite sqlite_unlock_notify' -cover -coverprofile $$GOPATH/src/$$PKG/coverage.out $$PKG || exit 1; done;

 .PHONY: vendor
 vendor:
@@ -204,6 +208,11 @@ generate-ini:
 		-e 's|{{TEST_PGSQL_USERNAME}}|${TEST_PGSQL_USERNAME}|g' \
 		-e 's|{{TEST_PGSQL_PASSWORD}}|${TEST_PGSQL_PASSWORD}|g' \
 			integrations/pgsql.ini.tmpl > integrations/pgsql.ini
+	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
+		-e 's|{{TEST_MSSQL_DBNAME}}|${TEST_MSSQL_DBNAME}|g' \
+		-e 's|{{TEST_MSSQL_USERNAME}}|${TEST_MSSQL_USERNAME}|g' \
+		-e 's|{{TEST_MSSQL_PASSWORD}}|${TEST_MSSQL_PASSWORD}|g' \
+			integrations/mssql.ini.tmpl > integrations/mssql.ini

 .PHONY: test-mysql
 test-mysql: integrations.test generate-ini
@@ -213,6 +222,10 @@ test-mysql: integrations.test generate-ini
 test-pgsql: integrations.test generate-ini
 	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/pgsql.ini ./integrations.test

+.PHONY: test-mssql
+test-mssql: integrations.test generate-ini
+	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/mssql.ini ./integrations.test
+
 .PHONY: bench-sqlite
 bench-sqlite: integrations.sqlite.test
 	GITEA_ROOT=${CURDIR} GITEA_CONF=integrations/sqlite.ini ./integrations.sqlite.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
@@ -234,7 +247,7 @@ integrations.test: $(SOURCES)
 	$(GO) test -c code.gitea.io/gitea/integrations -o integrations.test

 integrations.sqlite.test: $(SOURCES)
-	$(GO) test -c code.gitea.io/gitea/integrations -o integrations.sqlite.test -tags 'sqlite'
+	$(GO) test -c code.gitea.io/gitea/integrations -o integrations.sqlite.test -tags 'sqlite sqlite_unlock_notify'

 integrations.cover.test: $(SOURCES)
 	$(GO) test -c code.gitea.io/gitea/integrations -coverpkg $(shell echo $(PACKAGES) | tr ' ' ',') -o integrations.cover.test
@@ -347,6 +360,8 @@ update-translations:
 generate-images:
 	mkdir -p $(TMPDIR)/images
 	inkscape -f $(PWD)/assets/logo.svg -w 880 -h 880 -e $(PWD)/public/img/gitea-lg.png
+	inkscape -f $(PWD)/assets/logo.svg -w 512 -h 512 -e $(PWD)/public/img/gitea-512.png
+	inkscape -f $(PWD)/assets/logo.svg -w 192 -h 192 -e $(PWD)/public/img/gitea-192.png
 	inkscape -f $(PWD)/assets/logo.svg -w 120 -h 120 -jC -i layer1 -e $(TMPDIR)/images/sm-1.png
 	inkscape -f $(PWD)/assets/logo.svg -w 120 -h 120 -jC -i layer2 -e $(TMPDIR)/images/sm-2.png
 	composite -compose atop $(TMPDIR)/images/sm-2.png $(TMPDIR)/images/sm-1.png $(PWD)/public/img/gitea-sm.png
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@ More info: https://docs.gitea.io/en-us/install-from-source/
    ./gitea web

 NOTE: If you're interested in using our APIs, we have experimental
-support with [documentation](https://godoc.org/code.gitea.io/sdk/gitea).
+support with [documentation](https://try.gitea.io/api/swagger).

 ## Contributing

--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -6,6 +6,7 @@
 package cmd

 import (
+	"errors"
 	"fmt"
 	"os"
 	"text/tabwriter"
@@ -13,6 +14,7 @@ import (
 	"code.gitea.io/git"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/auth/oauth2"
+	"code.gitea.io/gitea/modules/generate"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"

@@ -59,6 +61,19 @@ var (
 				Value: "custom/conf/app.ini",
 				Usage: "Custom configuration file path",
 			},
+			cli.BoolFlag{
+				Name:  "random-password",
+				Usage: "Generate a random password for the user",
+			},
+			cli.BoolFlag{
+				Name:  "must-change-password",
+				Usage: "Force the user to change his/her password after initial login",
+			},
+			cli.IntFlag{
+				Name:  "random-password-length",
+				Usage: "Length of the random password to be generated",
+				Value: 12,
+			},
 		},
 	}

@@ -273,10 +288,30 @@ func runChangePassword(c *cli.Context) error {
 }

 func runCreateUser(c *cli.Context) error {
-	if err := argsSet(c, "name", "password", "email"); err != nil {
+	if err := argsSet(c, "name", "email"); err != nil {
 		return err
 	}

+	if c.IsSet("password") && c.IsSet("random-password") {
+		return errors.New("cannot set both -random-password and -password flags")
+	}
+
+	var password string
+
+	if c.IsSet("password") {
+		password = c.String("password")
+	} else if c.IsSet("random-password") {
+		var err error
+		password, err = generate.GetRandomString(c.Int("random-password-length"))
+		if err != nil {
+			return err
+		}
+
+		fmt.Printf("generated random password is '%s'\n", password)
+	} else {
+		return errors.New("must set either password or random-password flag")
+	}
+
 	if c.IsSet("config") {
 		setting.CustomConf = c.String("config")
 	}
@@ -285,12 +320,26 @@ func runCreateUser(c *cli.Context) error {
 		return err
 	}

+	// always default to true
+	var changePassword = true
+
+	// If this is the first user being created.
+	// Take it as the admin and don't force a password update.
+	if n := models.CountUsers(); n == 0 {
+		changePassword = false
+	}
+
+	if c.IsSet("must-change-password") {
+		changePassword = c.Bool("must-change-password")
+	}
+
 	if err := models.CreateUser(&models.User{
-		Name:     c.String("name"),
-		Email:    c.String("email"),
-		Passwd:   c.String("password"),
-		IsActive: true,
-		IsAdmin:  c.Bool("admin"),
+		Name:               c.String("name"),
+		Email:              c.String("email"),
+		Passwd:             password,
+		IsActive:           true,
+		IsAdmin:            c.Bool("admin"),
+		MustChangePassword: changePassword,
 	}); err != nil {
 		return fmt.Errorf("CreateUser: %v", err)
 	}
@@ -412,16 +461,12 @@ func runAddOauth(c *cli.Context) error {
 		return err
 	}

-	if err := models.CreateLoginSource(&models.LoginSource{
+	return models.CreateLoginSource(&models.LoginSource{
 		Type:      models.LoginOAuth2,
 		Name:      c.String("name"),
 		IsActived: true,
 		Cfg:       parseOAuth2Config(c),
-	}); err != nil {
-		return err
-	}
-
-	return nil
+	})
 }

 func runUpdateOauth(c *cli.Context) error {
@@ -492,11 +537,7 @@ func runUpdateOauth(c *cli.Context) error {
 	oAuth2Config.CustomURLMapping = customURLMapping
 	source.Cfg = oAuth2Config

-	if err := models.UpdateSource(source); err != nil {
-		return err
-	}
-
-	return nil
+	return models.UpdateSource(source)
 }

 func runListAuth(c *cli.Context) error {
@@ -543,8 +584,5 @@ func runDeleteAuth(c *cli.Context) error {
 		return err
 	}

-	if err = models.DeleteSource(source); err != nil {
-		return err
-	}
-	return nil
+	return models.DeleteSource(source)
 }
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -12,6 +12,8 @@ import (

 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+
 	"github.com/urfave/cli"
 )

@@ -22,15 +24,23 @@ func argsSet(c *cli.Context, args ...string) error {
 		if !c.IsSet(a) {
 			return errors.New(a + " is not set")
 		}
+
+		if util.IsEmptyString(a) {
+			return errors.New(a + " is required")
+		}
 	}
 	return nil
 }

 func initDB() error {
+	return initDBDisableConsole(false)
+}
+
+func initDBDisableConsole(disableConsole bool) error {
 	setting.NewContext()
 	models.LoadConfigs()

-	setting.NewXORMLogService(false)
+	setting.NewXORMLogService(disableConsole)
 	if err := models.SetEngine(); err != nil {
 		return fmt.Errorf("models.SetEngine: %v", err)
 	}
--- a/cmd/hook.go
+++ b/cmd/hook.go
@@ -8,8 +8,8 @@ import (
 	"bufio"
 	"bytes"
 	"fmt"
+	"net/url"
 	"os"
-	"path/filepath"
 	"strconv"
 	"strings"

@@ -62,12 +62,6 @@ var (
 	}
 )

-func hookSetup(logPath string) {
-	setting.NewContext()
-	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
-	models.LoadConfigs()
-}
-
 func runHookPreReceive(c *cli.Context) error {
 	if len(os.Getenv("SSH_ORIGINAL_COMMAND")) == 0 {
 		return nil
@@ -79,7 +73,7 @@ func runHookPreReceive(c *cli.Context) error {
 		setting.CustomConf = c.GlobalString("config")
 	}

-	hookSetup("hooks/pre-receive.log")
+	setup("hooks/pre-receive.log")

 	// the environment setted on serv command
 	repoID, _ := strconv.ParseInt(os.Getenv(models.ProtectedBranchRepoID), 10, 64)
@@ -112,10 +106,15 @@ func runHookPreReceive(c *cli.Context) error {
 		branchName := strings.TrimPrefix(refFullName, git.BranchPrefix)
 		protectBranch, err := private.GetProtectedBranchBy(repoID, branchName)
 		if err != nil {
-			log.GitLogger.Fatal(2, "retrieve protected branches information failed")
+			fail("Internal error", fmt.Sprintf("retrieve protected branches information failed: %v", err))
 		}

 		if protectBranch != nil && protectBranch.IsProtected() {
+			// check and deletion
+			if newCommitID == git.EmptySHA {
+				fail(fmt.Sprintf("branch %s is protected from deletion", branchName), "")
+			}
+
 			// detect force push
 			if git.EmptySHA != oldCommitID {
 				output, err := git.NewCommand("rev-list", "--max-count=1", oldCommitID, "^"+newCommitID).RunInDir(repoPath)
@@ -126,17 +125,12 @@ func runHookPreReceive(c *cli.Context) error {
 				}
 			}

-			// check and deletion
-			if newCommitID == git.EmptySHA {
-				fail(fmt.Sprintf("branch %s is protected from deletion", branchName), "")
-			} else {
-				userID, _ := strconv.ParseInt(userIDStr, 10, 64)
-				canPush, err := private.CanUserPush(protectBranch.ID, userID)
-				if err != nil {
-					fail("Internal error", "Fail to detect user can push: %v", err)
-				} else if !canPush {
-					fail(fmt.Sprintf("protected branch %s can not be pushed to", branchName), "")
-				}
+			userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+			canPush, err := private.CanUserPush(protectBranch.ID, userID)
+			if err != nil {
+				fail("Internal error", "Fail to detect user can push: %v", err)
+			} else if !canPush {
+				fail(fmt.Sprintf("protected branch %s can not be pushed to", branchName), "")
 			}
 		}
 	}
@@ -155,7 +149,7 @@ func runHookUpdate(c *cli.Context) error {
 		setting.CustomConf = c.GlobalString("config")
 	}

-	hookSetup("hooks/update.log")
+	setup("hooks/update.log")

 	return nil
 }
@@ -171,9 +165,10 @@ func runHookPostReceive(c *cli.Context) error {
 		setting.CustomConf = c.GlobalString("config")
 	}

-	hookSetup("hooks/post-receive.log")
+	setup("hooks/post-receive.log")

 	// the environment setted on serv command
+	repoID, _ := strconv.ParseInt(os.Getenv(models.ProtectedBranchRepoID), 10, 64)
 	repoUser := os.Getenv(models.EnvRepoUsername)
 	isWiki := (os.Getenv(models.EnvRepoIsWiki) == "true")
 	repoName := os.Getenv(models.EnvRepoName)
@@ -211,6 +206,47 @@ func runHookPostReceive(c *cli.Context) error {
 		}); err != nil {
 			log.GitLogger.Error(2, "Update: %v", err)
 		}
+
+		if newCommitID != git.EmptySHA && strings.HasPrefix(refFullName, git.BranchPrefix) {
+			branch := strings.TrimPrefix(refFullName, git.BranchPrefix)
+			repo, pullRequestAllowed, err := private.GetRepository(repoID)
+			if err != nil {
+				log.GitLogger.Error(2, "get repo: %v", err)
+				break
+			}
+			if !pullRequestAllowed {
+				break
+			}
+
+			baseRepo := repo
+			if repo.IsFork {
+				baseRepo = repo.BaseRepo
+			}
+
+			if !repo.IsFork && branch == baseRepo.DefaultBranch {
+				break
+			}
+
+			pr, err := private.ActivePullRequest(baseRepo.ID, repo.ID, baseRepo.DefaultBranch, branch)
+			if err != nil {
+				log.GitLogger.Error(2, "get active pr: %v", err)
+				break
+			}
+
+			fmt.Fprintln(os.Stderr, "")
+			if pr == nil {
+				if repo.IsFork {
+					branch = fmt.Sprintf("%s:%s", repo.OwnerName, branch)
+				}
+				fmt.Fprintf(os.Stderr, "Create a new pull request for '%s':\n", branch)
+				fmt.Fprintf(os.Stderr, "  %s/compare/%s...%s\n", baseRepo.HTMLURL(), url.QueryEscape(baseRepo.DefaultBranch), url.QueryEscape(branch))
+			} else {
+				fmt.Fprint(os.Stderr, "Visit the existing pull request:\n")
+				fmt.Fprintf(os.Stderr, "  %s/pulls/%d\n", baseRepo.HTMLURL(), pr.Index)
+			}
+			fmt.Fprintln(os.Stderr, "")
+		}
+
 	}

 	return nil
--- a/cmd/keys.go
+++ b/cmd/keys.go
@@ -0,0 +1,85 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/urfave/cli"
+)
+
+// CmdKeys represents the available keys sub-command
+var CmdKeys = cli.Command{
+	Name:   "keys",
+	Usage:  "This command queries the Gitea database to get the authorized command for a given ssh key fingerprint",
+	Action: runKeys,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "expected, e",
+			Value: "git",
+			Usage: "Expected user for whom provide key commands",
+		},
+		cli.StringFlag{
+			Name:  "username, u",
+			Value: "",
+			Usage: "Username trying to log in by SSH",
+		},
+		cli.StringFlag{
+			Name:  "type, t",
+			Value: "",
+			Usage: "Type of the SSH key provided to the SSH Server (requires content to be provided too)",
+		},
+		cli.StringFlag{
+			Name:  "content, k",
+			Value: "",
+			Usage: "Base64 encoded content of the SSH key provided to the SSH Server (requires type to be provided too)",
+		},
+		cli.StringFlag{
+			Name:  "config, c",
+			Value: "custom/conf/app.ini",
+			Usage: "Custom configuration file path",
+		},
+	},
+}
+
+func runKeys(c *cli.Context) error {
+	if c.IsSet("config") {
+		setting.CustomConf = c.String("config")
+	}
+
+	if !c.IsSet("username") {
+		return errors.New("No username provided")
+	}
+	// Check username matches the expected username
+	if strings.TrimSpace(c.String("username")) != strings.TrimSpace(c.String("expected")) {
+		return nil
+	}
+
+	content := ""
+
+	if c.IsSet("type") && c.IsSet("content") {
+		content = fmt.Sprintf("%s %s", strings.TrimSpace(c.String("type")), strings.TrimSpace(c.String("content")))
+	}
+
+	if content == "" {
+		return errors.New("No key type and content provided")
+	}
+
+	if err := initDBDisableConsole(true); err != nil {
+		return err
+	}
+
+	publicKey, err := models.SearchPublicKeyByContent(content)
+	if err != nil {
+		return err
+	}
+	fmt.Println(publicKey.AuthorizedString())
+	return nil
+}
--- a/cmd/migrate.go
+++ b/cmd/migrate.go
@@ -0,0 +1,52 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package cmd
+
+import (
+	"code.gitea.io/gitea/models"
+	"code.gitea.io/gitea/models/migrations"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+
+	"github.com/urfave/cli"
+)
+
+// CmdMigrate represents the available migrate sub-command.
+var CmdMigrate = cli.Command{
+	Name:        "migrate",
+	Usage:       "Migrate the database",
+	Description: "This is a command for migrating the database, so that you can run gitea admin create-user before starting the server.",
+	Action:      runMigrate,
+	Flags: []cli.Flag{
+		cli.StringFlag{
+			Name:  "config, c",
+			Value: "custom/conf/app.ini",
+			Usage: "Custom configuration file path",
+		},
+	},
+}
+
+func runMigrate(ctx *cli.Context) error {
+	if ctx.IsSet("config") {
+		setting.CustomConf = ctx.String("config")
+	}
+
+	if err := initDB(); err != nil {
+		return err
+	}
+
+	log.Trace("AppPath: %s", setting.AppPath)
+	log.Trace("AppWorkPath: %s", setting.AppWorkPath)
+	log.Trace("Custom path: %s", setting.CustomPath)
+	log.Trace("Log path: %s", setting.LogRootPath)
+	models.LoadConfigs()
+
+	if err := models.NewEngine(migrations.Migrate); err != nil {
+		log.Fatal(4, "Failed to initialize ORM engine: %v", err)
+		return err
+	}
+
+	return nil
+}
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -14,15 +14,16 @@ import (
 	"strings"
 	"time"

+	"code.gitea.io/git"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/pprof"
 	"code.gitea.io/gitea/modules/private"
 	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"

 	"github.com/Unknwon/com"
 	"github.com/dgrijalva/jwt-go"
+	version "github.com/mcuadros/go-version"
 	"github.com/urfave/cli"
 )

@@ -49,20 +50,29 @@ var CmdServ = cli.Command{
 	},
 }

-func setup(logPath string) error {
-	setting.NewContext()
-	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
-	models.LoadConfigs()
+func checkLFSVersion() {
+	if setting.LFS.StartServer {
+		//Disable LFS client hooks if installed for the current OS user
+		//Needs at least git v2.1.2
+		binVersion, err := git.BinVersion()
+		if err != nil {
+			fail(fmt.Sprintf("Error retrieving git version: %v", err), fmt.Sprintf("Error retrieving git version: %v", err))
+		}

-	if setting.UseSQLite3 || setting.UseTiDB {
-		workPath := setting.AppWorkPath
-		if err := os.Chdir(workPath); err != nil {
-			log.GitLogger.Fatal(4, "Failed to change directory %s: %v", workPath, err)
+		if !version.Compare(binVersion, "2.1.2", ">=") {
+			setting.LFS.StartServer = false
+			println("LFS server support needs at least Git v2.1.2, disabled")
+		} else {
+			git.GlobalCommandArgs = append(git.GlobalCommandArgs, "-c", "filter.lfs.required=",
+				"-c", "filter.lfs.smudge=", "-c", "filter.lfs.clean=")
 		}
 	}
+}

-	setting.NewXORMLogService(true)
-	return models.SetEngine()
+func setup(logPath string) {
+	setting.NewContext()
+	checkLFSVersion()
+	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
 }

 func parseCmd(cmd string) (string, string) {
@@ -101,10 +111,7 @@ func runServ(c *cli.Context) error {
 	if c.IsSet("config") {
 		setting.CustomConf = c.String("config")
 	}
-
-	if err := setup("serv.log"); err != nil {
-		fail("System init failed", fmt.Sprintf("setup: %v", err))
-	}
+	setup("serv.log")

 	if setting.SSH.Disabled {
 		println("Gitea: SSH has been disabled")
@@ -159,11 +166,15 @@ func runServ(c *cli.Context) error {
 		}()
 	}

-	isWiki := false
-	unitType := models.UnitTypeCode
+	var (
+		isWiki   bool
+		unitType = models.UnitTypeCode
+		unitName = "code"
+	)
 	if strings.HasSuffix(reponame, ".wiki") {
 		isWiki = true
 		unitType = models.UnitTypeWiki
+		unitName = "wiki"
 		reponame = reponame[:len(reponame)-5]
 	}

@@ -175,9 +186,9 @@ func runServ(c *cli.Context) error {
 	}
 	os.Setenv(models.EnvRepoName, reponame)

-	repo, err := models.GetRepositoryByOwnerAndName(username, reponame)
+	repo, err := private.GetRepositoryByOwnerAndName(username, reponame)
 	if err != nil {
-		if models.IsErrRepoNotExist(err) {
+		if strings.Contains(err.Error(), "Failed to get repository: repository does not exist") {
 			fail(accessDenied, "Repository does not exist: %s/%s", username, reponame)
 		}
 		fail("Internal error", "Failed to get repository: %v", err)
@@ -208,13 +219,13 @@ func runServ(c *cli.Context) error {
 		keyID int64
 		user  *models.User
 	)
-	if requestedMode == models.AccessModeWrite || repo.IsPrivate {
+	if requestedMode == models.AccessModeWrite || repo.IsPrivate || setting.Service.RequireSignInView {
 		keys := strings.Split(c.Args()[0], "-")
 		if len(keys) != 2 {
 			fail("Key ID format error", "Invalid key argument: %s", c.Args()[0])
 		}

-		key, err := models.GetPublicKeyByID(com.StrTo(keys[1]).MustInt64())
+		key, err := private.GetPublicKeyByID(com.StrTo(keys[1]).MustInt64())
 		if err != nil {
 			fail("Invalid key ID", "Invalid key ID[%s]: %v", c.Args()[0], err)
 		}
@@ -225,23 +236,22 @@ func runServ(c *cli.Context) error {
 			if key.Mode < requestedMode {
 				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
 			}
+
 			// Check if this deploy key belongs to current repository.
-			if !models.HasDeployKey(key.ID, repo.ID) {
+			has, err := private.HasDeployKey(key.ID, repo.ID)
+			if err != nil {
+				fail("Key access denied", "Failed to access internal api: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
+			}
+			if !has {
 				fail("Key access denied", "Deploy key access denied: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
 			}

 			// Update deploy key activity.
-			deployKey, err := models.GetDeployKeyByRepo(key.ID, repo.ID)
-			if err != nil {
-				fail("Internal error", "GetDeployKey: %v", err)
-			}
-
-			deployKey.UpdatedUnix = util.TimeStampNow()
-			if err = models.UpdateDeployKeyCols(deployKey, "updated_unix"); err != nil {
+			if err = private.UpdateDeployKeyUpdated(key.ID, repo.ID); err != nil {
 				fail("Internal error", "UpdateDeployKey: %v", err)
 			}
 		} else {
-			user, err = models.GetUserByKeyID(key.ID)
+			user, err = private.GetUserByKeyID(key.ID)
 			if err != nil {
 				fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
 			}
@@ -252,25 +262,19 @@ func runServ(c *cli.Context) error {
 					user.Name, repoPath)
 			}

-			mode, err := models.AccessLevel(user.ID, repo)
+			mode, err := private.CheckUnitUser(user.ID, repo.ID, user.IsAdmin, unitType)
 			if err != nil {
 				fail("Internal error", "Failed to check access: %v", err)
-			} else if mode < requestedMode {
+			} else if *mode < requestedMode {
 				clientMessage := accessDenied
-				if mode >= models.AccessModeRead {
+				if *mode >= models.AccessModeRead {
 					clientMessage = "You do not have sufficient authorization for this action"
 				}
 				fail(clientMessage,
-					"User %s does not have level %v access to repository %s",
+					"User %s does not have level %v access to repository %s's "+unitName,
 					user.Name, requestedMode, repoPath)
 			}

-			if !repo.CheckUnitUser(user.ID, user.IsAdmin, unitType) {
-				fail("You do not have allowed for this action",
-					"User %s does not have allowed access to repository %s 's code",
-					user.Name, repoPath)
-			}
-
 			os.Setenv(models.EnvPusherName, user.Name)
 			os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", user.ID))
 		}
@@ -325,9 +329,8 @@ func runServ(c *cli.Context) error {
 	} else {
 		gitcmd = exec.Command(verb, repoPath)
 	}
-
 	if isWiki {
-		if err = repo.InitWiki(); err != nil {
+		if err = private.InitWiki(repo.ID); err != nil {
 			fail("Internal error", "Failed to init wiki repo: %v", err)
 		}
 	}
--- a/cmd/web.go
+++ b/cmd/web.go
@@ -80,7 +80,13 @@ func runLetsEncrypt(listenAddr, domain, directory, email string, m http.Handler)
 		Cache:      autocert.DirCache(directory),
 		Email:      email,
 	}
-	go http.ListenAndServe(listenAddr+":"+setting.PortToRedirect, certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validatio happens here)
+	go func() {
+		log.Info("Running Let's Encrypt handler on %s", setting.HTTPAddr+":"+setting.PortToRedirect)
+		var err = http.ListenAndServe(setting.HTTPAddr+":"+setting.PortToRedirect, certManager.HTTPHandler(http.HandlerFunc(runLetsEncryptFallbackHandler))) // all traffic coming into HTTP will be redirect to HTTPS automatically (LE HTTP-01 validation happens here)
+		if err != nil {
+			log.Fatal(4, "Failed to start the Let's Encrypt handler on port %s: %v", setting.PortToRedirect, err)
+		}
+	}()
 	server := &http.Server{
 		Addr:    listenAddr,
 		Handler: m,
@@ -96,7 +102,10 @@ func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Use HTTPS", http.StatusBadRequest)
 		return
 	}
-	target := setting.AppURL + r.URL.RequestURI()
+	// Remove the trailing slash at the end of setting.AppURL, the request
+	// URI always contains a leading slash, which would result in a double
+	// slash
+	target := strings.TrimRight(setting.AppURL, "/") + r.URL.RequestURI()
 	http.Redirect(w, r, target, http.StatusFound)
 }

--- a/contrib/ide/vscode/launch.json
+++ b/contrib/ide/vscode/launch.json
@@ -19,7 +19,7 @@
      "type": "go",
      "request": "launch",
      "mode": "debug",
-      "buildFlags": "-tags=\"sqlite\"",
+      "buildFlags": "-tags=\"sqlite sqlite_unlock_notify\"",
      "port": 2345,
      "host": "127.0.0.1",
      "program": "${workspaceRoot}/main.go",
--- a/contrib/ide/vscode/tasks.json
+++ b/contrib/ide/vscode/tasks.json
@@ -35,7 +35,7 @@
        "focus": false,
        "panel": "shared"
      },
-      "args": ["build", "-tags=\"sqlite\""],
+      "args": ["build", "-tags=\"sqlite sqlite_unlock_notify\""],
      "linux": {
        "args": ["-o", "gitea", "${workspaceRoot}/main.go"]
      },
--- a/contrib/k8s/gitea.yml
+++ b/contrib/k8s/gitea.yml
@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gitea
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  namespace: gitea
+  labels:
+    app: gitea
+spec:
+  replicas: 1
+  template:
+    metadata:
+      name: gitea
+      labels:
+        app: gitea
+    spec:
+      containers:
+      - name: gitea
+        image: gitea/gitea:latest
+        imagePullPolicy: Always
+        volumeMounts:
+          - mountPath: "/var/lib/gitea"
+            name: "root"
+          - mountPath: "/data"
+            name: "data"
+        ports:
+          - containerPort: 22
+            name: ssh
+            protocol: TCP
+          - containerPort: 3000
+            name: http
+            protocol: TCP
+      restartPolicy: Always
+      volumes:
+        # Set up a data directory for gitea
+        # For production usage, you should consider using PV/PVC instead(or simply using storage like NAS)
+        # For more details, please see https://kubernetes.io/docs/concepts/storage/volumes/
+      - name: "root"
+        hostPath:
+          # directory location on host
+          path: "/var/lib/gitea"
+          # this field is optional
+          type: Directory
+      - name: "data"
+        hostPath:
+          path: "/data/gitea"
+          type: Directory
+  selector:
+    matchLabels:
+      app: gitea
+---
+# Using cluster mode
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-web
+  namespace: gitea
+  labels:
+    app: gitea-web
+spec:
+  ports:
+  - port: 80
+    targetPort: 3000
+    name: http
+  selector:
+    app: gitea
+---
+# Using node-port mode
+# This mainly open a specific TCP port for SSH usage on each host,
+# so you can use a proxy layer to handle it(e.g. slb, nginx)
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+  labels:
+    app: gitea-ssh
+spec:
+  ports:
+  - port: 22
+    targetPort: 22
+    nodePort: 30022
+    name: ssh
+  selector:
+    app: gitea
+  type: NodePort
+---
+# Ingress is always suitable for HTTP usage,
+# we suggest using an proxy layer such as slb to send traffic to different ports.
+# Usually 80/443 for web and 22 directly for SSH.
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  rules:
+  - host: your-gitea-host.com
+    http:
+      paths:
+      - backend:
+          serviceName: gitea-web
+          servicePort: 80
--- a/custom/conf/app.ini.sample
+++ b/custom/conf/app.ini.sample
@@ -144,7 +144,7 @@ START_SSH_SERVER = false
 BUILTIN_SSH_SERVER_USER =
 ; Domain name to be exposed in clone URL
 SSH_DOMAIN = %(DOMAIN)s
-; THe network interface the builtin SSH server should listen on
+; The network interface the builtin SSH server should listen on
 SSH_LISTEN_HOST =
 ; Port number to be exposed in clone URL
 SSH_PORT = 22
@@ -152,6 +152,9 @@ SSH_PORT = 22
 SSH_LISTEN_PORT = %(SSH_PORT)s
 ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
 SSH_ROOT_PATH =
+; Gitea will create a authorized_keys file by default when it is not using the internal ssh server
+; If you intend to use the AuthorizedKeysCommand functionality then you should turn this off.
+SSH_CREATE_AUTHORIZED_KEYS_FILE = true
 ; For the built-in SSH server, choose the ciphers to support for SSH connections,
 ; for system SSH this setting has no effect
 SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
@@ -258,11 +261,12 @@ COOKIE_USERNAME = gitea_awesome
 COOKIE_REMEMBER_NAME = gitea_incredible
 ; Reverse proxy authentication header name of user name
 REVERSE_PROXY_AUTHENTICATION_USER = X-WEBAUTH-USER
+REVERSE_PROXY_AUTHENTICATION_EMAIL = X-WEBAUTH-EMAIL
 ; The minimum password length for new Users
 MIN_PASSWORD_LENGTH = 6
-; True when users are allowed to import local server paths
+; Set to true to allow users to import local server paths
 IMPORT_LOCAL_PATHS = false
-; Prevent all users (including admin) from creating custom git hooks
+; Set to true to prevent all users (including admin) from creating custom git hooks
 DISABLE_GIT_HOOKS = false

 [openid]
@@ -306,9 +310,12 @@ ACTIVE_CODE_LIVE_MINUTES = 180
 RESET_PASSWD_CODE_LIVE_MINUTES = 180
 ; Whether a new user needs to confirm their email when registering.
 REGISTER_EMAIL_CONFIRM = false
+; List of domain names that are allowed to be used to register on a Gitea instance
+; gitea.io,example.com
+EMAIL_DOMAIN_WHITELIST=
 ; Disallow registration, only allow admins to create accounts.
 DISABLE_REGISTRATION = false
-; Allow registration only using third part services, it works only when DISABLE_REGISTRATION is false
+; Allow registration only using third-party services, it works only when DISABLE_REGISTRATION is false
 ALLOW_ONLY_EXTERNAL_REGISTRATION = false
 ; User must sign in to view anything.
 REQUIRE_SIGNIN_VIEW = false
@@ -317,14 +324,15 @@ ENABLE_NOTIFY_MAIL = false
 ; More detail: https://github.com/gogits/gogs/issues/165
 ENABLE_REVERSE_PROXY_AUTHENTICATION = false
 ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false
+ENABLE_REVERSE_PROXY_EMAIL = false
 ; Enable captcha validation for registration
 ENABLE_CAPTCHA = false
 ; Type of captcha you want to use. Options: image, recaptcha
 CAPTCHA_TYPE = image
 ; Enable recaptcha to use Google's recaptcha service
 ; Go to https://www.google.com/recaptcha/admin to sign up for a key
-RECAPTCHA_SECRET  = 
-RECAPTCHA_SITEKEY = 
+RECAPTCHA_SECRET  =
+RECAPTCHA_SITEKEY =
 ; Default value for KeepEmailPrivate
 ; Each new user will get the value of this setting copied into their profile
 DEFAULT_KEEP_EMAIL_PRIVATE = false
@@ -332,8 +340,10 @@ DEFAULT_KEEP_EMAIL_PRIVATE = false
 ; Every new user will have rights set to create organizations depending on this setting
 DEFAULT_ALLOW_CREATE_ORGANIZATION = true
 ; Default value for EnableDependencies
-; Repositories will use depencies by default depending on this setting
+; Repositories will use dependencies by default depending on this setting
 DEFAULT_ENABLE_DEPENDENCIES = true
+; Enable heatmap on users profiles.
+ENABLE_USER_HEATMAP = true
 ; Enable Timetracking
 ENABLE_TIMETRACKING = true
 ; Default value for EnableTimetracking
@@ -378,6 +388,8 @@ SKIP_VERIFY =
 USE_CERTIFICATE = false
 CERT_FILE = custom/mailer/cert.pem
 KEY_FILE = custom/mailer/key.pem
+; Should SMTP connection use TLS
+IS_TLS_ENABLED = false
 ; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 FROM =
 ; Mailer user name and password
@@ -537,7 +549,7 @@ SCHEDULE = @every 10m
 SCHEDULE = @every 24h
 TIMEOUT = 60s
 ; Arguments for command 'git fsck', e.g. "--unreachable --tags"
-; see more on http://git-scm.com/docs/git-fsck/1.7.5
+; see more on http://git-scm.com/docs/git-fsck
 ARGS =

 ; Check repository statistics
@@ -576,7 +588,7 @@ MAX_GIT_DIFF_LINE_CHARACTERS = 5000
 ; Max number of files shown in diff view
 MAX_GIT_DIFF_FILES = 100
 ; Arguments for command 'git gc', e.g. "--aggressive --auto"
-; see more on http://git-scm.com/docs/git-gc/1.7.5
+; see more on http://git-scm.com/docs/git-gc/
 GC_ARGS =

 ; Operation timeout in seconds
@@ -654,3 +666,9 @@ FILE_EXTENSIONS = .adoc,.asciidoc
 RENDER_COMMAND = "asciidoc --out-file=- -"
 ; Don't pass the file on STDIN, pass the filename as argument instead.
 IS_INPUT_FILE = false
+
+[metrics]
+; Enables metrics endpoint. True or false; default is false.
+ENABLED = false
+; If you want to add authorization, specify a token here
+TOKEN =
--- a/docker/Makefile
+++ b/docker/Makefile
@@ -8,7 +8,7 @@ DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
 .PHONY: docker
 docker:
 	docker build --disable-content-trust=false -t $(DOCKER_REF) .
-# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite"  .
+# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .

 .PHONY: docker-build
 docker-build:
--- a/docker/etc/s6/gitea/setup
+++ b/docker/etc/s6/gitea/setup
@@ -39,5 +39,8 @@ if [ ! -f /data/gitea/conf/app.ini ]; then
    envsubst < /etc/templates/app.ini > /data/gitea/conf/app.ini
 fi

-chown -R ${USER}:git /data/gitea /app/gitea /data/git
+# only chown if current owner is not already the gitea ${USER}. No recursive check to save time
+if ! [[ $(ls -ld /data/gitea | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/gitea; fi
+if ! [[ $(ls -ld /app/gitea  | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /app/gitea;  fi
+if ! [[ $(ls -ld /data/git   | awk '{print $3}') = ${USER} ]]; then chown -R ${USER}:git /data/git;   fi
 chmod 0755 /data/gitea /app/gitea /data/git
--- a/docker/etc/ssh/sshd_config
+++ b/docker/etc/ssh/sshd_config
@@ -29,3 +29,5 @@ AllowUsers git

 Banner none
 Subsystem sftp /usr/lib/ssh/sftp-server
+
+AcceptEnv GIT_PROTOCOL
--- a/docker/usr/bin/entrypoint
+++ b/docker/usr/bin/entrypoint
@@ -4,7 +4,7 @@ if [ "${USER}" != "git" ]; then
    # rename user
    sed -i -e "s/^git\:/${USER}\:/g" /etc/passwd
    # switch sshd config to different user
-    sed -i -e "s/AllowUsers git/AllowUsers ${USER}/g" /etc/ssh/sshd_config
+    sed -i -e "s/AllowUsers git$/AllowUsers ${USER}/g" /etc/ssh/sshd_config
 fi

 ## Change GID for USER?
--- a/docs/README_ZH.md
+++ b/docs/README_ZH.md
@@ -0,0 +1,42 @@
+# Gitea: 文档
+
+[![Build Status](http://drone.gitea.io/api/badges/go-gitea/docs/status.svg)](http://drone.gitea.io/go-gitea/docs)
+[![Join the chat at https://img.shields.io/discord/322538954119184384.svg](https://img.shields.io/discord/322538954119184384.svg)](https://discord.gg/NsatcWJ)
+[![](https://images.microbadger.com/badges/image/gitea/docs.svg)](http://microbadger.com/images/gitea/docs "Get your own image badge on microbadger.com")
+
+## 关于托管方式
+
+本页面托管在我们 Docker 容器内的基础设施上， 它会在每次推送到 `master` 分支的时候自动更新，如果你想自己管理这个页面，你可以从我们的 Docker 镜像 [gitea/docs](https://hub.docker.com/r/gitea/docs/) 中获取它。
+
+## 安装 Hugo
+
+本页面使用了 [Hugo](https://github.com/spf13/hugo) 静态页面生成工具，如果您有维护它的意愿，则需要在本地计算机上下载并安装 Hugo。Hugo 的安装教程不在本文档的讲述范围之内，详情请参见 [官方文档](https://gohugo.io/overview/installing/)。
+
+## 如何部署
+
+在 [localhost:1313](http://localhost:1313) 处构建和运行网站的命令如下，如果需要停止可以使用组合键 `Ctrl+C`:
+
+```
+make server
+```
+
+完成更改后，只需创建一个 Pull Request (PR)，该 PR 一经合并网站将自动更新。
+
+## 如何贡献您的代码
+
+Fork -> Patch -> Push -> Pull Request
+
+## 关于我们
+
+* [维护者信息](https://github.com/orgs/go-gitea/people)
+* [代码贡献者信息](https://github.com/go-gitea/docs/graphs/contributors)
+
+## 许可证
+
+此项目采用 Apache-2.0 许可协议，请参见 [协议文件](LICENSE) 获取更多信息。
+
+## 版权声明
+
+```
+Copyright (c) 2016 The Gitea Authors <https://gitea.io>
+```
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -62,7 +62,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
   HTTP protocol.
 - `USE_COMPAT_SSH_URI`: **false**: Force ssh:// clone url instead of scp-style uri when
   default SSH port is used.
-   
+
 ### Repository - Pull Request (`repository.pull-request`)
 - `WORK_IN_PROGRESS_PREFIXES`: **WIP:,\[WIP\]**: List of prefixes used in Pull Request
 title to mark them as Work In Progress
@@ -122,9 +122,8 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `LFS_CONTENT_PATH`: **./data/lfs**: Where to store LFS files.
 - `LFS_JWT_SECRET`: **\<empty\>**: LFS authentication secret, change this a unique string.
 - `LFS_HTTP_AUTH_EXPIRY`: **20m**: LFS authentication validity period in time.Duration, pushes taking longer than this may fail.
- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, redirects http requests
-   on another (https) port.
- `PORT_TO_REDIRECT`: **80**: Port used when `REDIRECT_OTHER_PORT` is true.
+- `REDIRECT_OTHER_PORT`: **false**: If true and `PROTOCOL` is https, allows redirecting http requests on `PORT_TO_REDIRECT` to the https port Gitea listens on.
+- `PORT_TO_REDIRECT`: **80**: Port for the http redirection service to listen on. Used when `REDIRECT_OTHER_PORT` is true.
 - `ENABLE_LETSENCRYPT`: **false**: If enabled you must set `DOMAIN` to valid internet facing domain (ensure DNS is set and port 80 is accessible by letsencrypt validation server).
   By using Lets Encrypt **you must consent** to their [terms of service](https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf).
 - `LETSENCRYPT_ACCEPTTOS`: **false**: This is an explicit check that you accept the terms of service for Let's Encrypt.
@@ -160,9 +159,11 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
   information.
 - `REVERSE_PROXY_AUTHENTICATION_USER`: **X-WEBAUTH-USER**: Header name for reverse proxy
   authentication.
- `DISABLE_GIT_HOOKS`: **false**: Prevent all users (including admin) from creating custom
+- `REVERSE_PROXY_AUTHENTICATION_EMAIL`: **X-WEBAUTH-EMAIL**: Header name for reverse proxy
+   authentication provided email.
+- `DISABLE_GIT_HOOKS`: **false**: Set to `true` to prevent all users (including admin) from creating custom
   git hooks.
- `IMPORT_LOCAL_PATHS`: **false**: Prevent all users (including admin) from importing local path on server.
+- `IMPORT_LOCAL_PATHS`: **false**: Set to `false` to prevent all users (including admin) from importing local path on server.

 ## OpenID (`openid`)

@@ -188,11 +189,16 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication.
 - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration
   for reverse authentication.
+- `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a
+   provided email rather than a generated email.
 - `ENABLE_CAPTCHA`: **false**: Enable this to use captcha validation for registration.
 - `CAPTCHA_TYPE`: **image**: \[image, recaptcha\]
 - `RECAPTCHA_SECRET`: **""**: Go to https://www.google.com/recaptcha/admin to get a secret for recaptcha.
 - `RECAPTCHA_SITEKEY`: **""**: Go to https://www.google.com/recaptcha/admin to get a sitekey for recaptcha.
 - `DEFAULT_ENABLE_DEPENDENCIES`: **true** Enable this to have dependencies enabled by default.
+- `ENABLE_USER_HEATMAP`: **true** Enable this to display the heatmap on users profiles.
+- `EMAIL_DOMAIN_WHITELIST`: **\<empty\>**: If non-empty, list of domain names that can only be used to register
+  on this instance.

 ## Webhook (`webhook`)

@@ -219,6 +225,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
     `FROM` and `SENDMAIL_PATH`.
 - `SENDMAIL_PATH`: **sendmail**: The location of sendmail on the operating system (can be
   command or full path).
+- ``IS_TLS_ENABLED`` :  **false** : Decide if SMTP connections should use TLS.

 ## Cache (`cache`)

@@ -280,7 +287,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.

 - `SCHEDULE`: **every 24h**: Cron syntax for scheduling repository health check.
 - `TIMEOUT`: **60s**: Time duration syntax for health check execution timeout.
- `ARGS`: **\<empty\>**: Arguments for command `git fsck`, e.g. `--unreachable --tags`.
+- `ARGS`: **\<empty\>**: Arguments for command `git fsck`, e.g. `--unreachable --tags`. See more on http://git-scm.com/docs/git-fsck

 ### Cron - Repository Statistics Check (`cron.check_repo_stats`)

@@ -292,7 +299,7 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `MAX_GIT_DIFF_LINES`: **100**: Max number of lines allowed of a single file in diff view.
 - `MAX_GIT_DIFF_LINE_CHARACTERS`: **5000**: Max character count per line highlighted in diff view.
 - `MAX_GIT_DIFF_FILES`: **100**: Max number of files shown in diff view.
- `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`.
+- `GC_ARGS`: **\<empty\>**: Arguments for command `git gc`, e.g. `--aggressive --auto`. See more on http://git-scm.com/docs/git-gc/

 ## Git - Timeout settings (`git.timeout`)
 - `MIGRATE`: **600**: Migrate external repositories timeout seconds.
@@ -301,9 +308,14 @@ Values containing `#` or `;` must be quoted using `` ` `` or `"""`.
 - `PULL`: **300**: Git pull from internal repositories timeout seconds.
 - `GC`: **60**: Git repository GC timeout seconds.

+## Metrics (`metrics`)
+
+- `ENABLED`: **false**: Enables /metrics endpoint for prometheus. 
+- `TOKEN`: **\<empty\>**: You need to specify the token, if you want to include in the authorization the metrics . The same token need to be used in prometheus parameters `bearer_token` or `bearer_token_file`.
+
 ## API (`api`)
- 
- `ENABLE_SWAGGER_ENDPOINT`: **true**: Enables /api/swagger, /api/v1/swagger etc. endpoints. True or false; default is true. 
+
+- `ENABLE_SWAGGER_ENDPOINT`: **true**: Enables /api/swagger, /api/v1/swagger etc. endpoints. True or false; default is true.
 - `MAX_RESPONSE_ITEMS`: **50**: Max number of items in a page.

 ## i18n (`i18n`)
@@ -358,6 +370,10 @@ IS_INPUT_FILE = false
 - RENDER\_COMMAND: External command to render all matching extensions.
 - IS\_INPUT\_FILE: **false** Input is not a standard input but a file param followed `RENDER_COMMAND`.

+Two special environment variables are passed to the render command:
+- `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.
+- `GITEA_PREFIX_RAW`, which contains the current URL prefix in the `raw` path tree. To be used as prefix for image paths.
+
 ## Other (`other`)

 - `SHOW_FOOTER_BRANDING`: **false**: Show Gitea branding in the footer.
--- a/docs/content/doc/advanced/customizing-gitea.en-us.md
+++ b/docs/content/doc/advanced/customizing-gitea.en-us.md
@@ -88,10 +88,14 @@ Apart from `extra_links.tmpl` and `extra_tabs.tmpl`, there are other useful temp
 - `body_outer_post.tmpl`, before the bottom `<footer>` element.
 - `footer.tmpl`, right before the end of the `<body>` tag, a good place for additional Javascript.

+## Adding Analytics to Gitea
+
+Google Analytics, Matomo (previously Piwik), and other analytics services can be added to Gitea. To add the tracking code, refer to the `Other additions to the page` section of this document, and add the JavaScript to the `custom/templates/custom/header.tmpl` file.
+
 ## Customizing gitignores, labels, licenses, locales, and readmes.

 Place custom files in corresponding sub-folder under `custom/options`.

 ## Customizing the look of Gitea

-Gitea has two built-in themes, the default theme `gitea`, and a dark theme `arc-green`. To change the look of your Gitea install change the value of `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini` to another one of the available options.
+As of version 1.6.0 Gitea has built-in themes. The two built-in themes are, the default theme `gitea`, and a dark theme `arc-green`. To change the look of your Gitea install change the value of `DEFAULT_THEME` in the [ui](https://docs.gitea.io/en-us/config-cheat-sheet/#ui-ui) section of `app.ini` to another one of the available options.
--- a/docs/content/doc/advanced/customizing-gitea.zh-cn.md
+++ b/docs/content/doc/advanced/customizing-gitea.zh-cn.md
@@ -57,7 +57,7 @@ Gitea 引用 `custom` 目录中的自定义配置文件来覆盖配置、模板

 如果您只是想添加额外的链接到顶部导航栏或额外的选项卡到存储库视图，您可以将它们放在您 `custom/templates/custom/` 目录下的 `extra_links.tmpl` 和 `extra_tabs.tmpl` 文件中。

-举例说明：假设您在德国，必须添加着名的法律要求的“Impressum”用以罗列谁负责网站的内容页面，您只需将该页面放在您的
+举例说明：假设您需要在网站放置一个静态的“关于”页面，您只需将该页面放在您的
 "custom/public/"目录下（比如 `custom/public/impressum.html`）并且将它与 `custom/templates/custom/extra_links.tmpl` 链接起来即可。

 这个链接应当使用一个名为“item”的 class 来匹配当前样式，您可以使用 `{{AppSubUrl}}` 来获取 base URL:
--- a/docs/content/doc/advanced/external-renderers.en-us.md
+++ b/docs/content/doc/advanced/external-renderers.en-us.md
@@ -0,0 +1,70 @@
+---
+date: "2018-11-23:00:00+02:00"
+title: "External renderers"
+slug: "external-renderers"
+weight: 40
+toc: true
+draft: false
+menu:
+  sidebar:
+    parent: "advanced"
+    name: "External renderers"
+    weight: 40
+    identifier: "external-renderers"
+---
+
+# Custom files rendering configuration
+
+Gitea supports custom file renderings (i.e., Jupyter notebooks, asciidoc, etc.) through external binaries, 
+it is just matter of:
+* installing external binaries
+* add some configuration to your `app.ini` file
+* restart your gitea instance
+
+## Installing external binaries
+
+In order to get file rendering through external binaries, their associated packages must be installed. 
+If you're using a Docker image, your `Dockerfile` should contain something along this lines:
+
+```
+FROM gitea/gitea:1.6.0
+[...]
+
+COPY custom/app.ini /data/gitea/conf/app.ini
+[...]
+
+RUN apk --no-cache add asciidoctor freetype freetype-dev gcc g++ libpng python-dev py-pip python3-dev py3-pip
+# install any other package you need for your external renderers
+
+RUN pip3 install --upgrade pip
+RUN pip3 install -U setuptools
+RUN pip3 install jupyter matplotlib docutils 
+# add above any other python package you may need to install
+```
+
+## `app.ini` file configuration
+
+add one `[markup.XXXXX]` section per external renderer on your custom `app.ini`:
+
+```
+[markup.asciidoc]
+ENABLED = true
+FILE_EXTENSIONS = .adoc,.asciidoc
+RENDER_COMMAND = "asciidoctor --out-file=- -"
+; Input is not a standard input but a file
+IS_INPUT_FILE = false
+
+[markup.jupyter]
+ENABLED = true
+FILE_EXTENSIONS = .ipynb
+RENDER_COMMAND = "jupyter nbconvert --stdout --to html --template basic "
+IS_INPUT_FILE = true
+
+[markup.restructuredtext]
+ENABLED = true
+FILE_EXTENSIONS = .rst
+RENDER_COMMAND = rst2html.py
+IS_INPUT_FILE = false
+```
+
+Once your configuration changes have been made, restart Gitea to have changes take effect.
--- a/docs/content/doc/features/comparison.en-us.md
+++ b/docs/content/doc/features/comparison.en-us.md
@@ -119,5 +119,5 @@ _Symbols used in table:_
 | Act as OAuth 2.0 provider | ✘ | ✘ | ✓ | ✓ | ✓ | ✓ | ✘ |
 | Two factor authentication (2FA) | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✘ |
 | Mattermost/Slack integration | ✓ | ✓ | ⁄ | ✓ | ✓ | ⁄ | ✓ |
-| Discord integration | ✓ | ✓ | ✓ | ✘ | ✘ | ✘ | ✘ |
+| Discord integration | ✓ | ✓ | ✓ | ✓ | ✓ | ✘ | ✘ |
 | External CI/CD status display | ✓ | ✘ | ✓ | ✓ | ✓ | ✓ | ✓ |
--- a/docs/content/doc/help/troubleshooting.en-us.md
+++ b/docs/content/doc/help/troubleshooting.en-us.md
@@ -80,3 +80,17 @@ To migrate an repository *with* all tags you need to do two things
 ```
 gitea admin repo-sync-releases
 ```
+
+## LFS Issues
+
+For issues concerning LFS data upload
+
+```
+batch response: Authentication required: Authorization error: <GITEA_LFS_URL>/info/lfs/objects/batch                                                                                                              
+Check that you have proper access to the repository
+error: failed to push some refs to '<GIT_REPO_URL>'
+```
+Have you checked the value of `LFS_HTTP_AUTH_EXPIRY` in your `app.ini` file? By default your LFS token will expire after 20 minutes. If you have a slow connection or a large file (or both) it may not finish uploading within the time limit. 
+
+You may want to set this value to `60m` or `120m`.
+
--- a/docs/content/doc/installation/from-binary.en-us.md
+++ b/docs/content/doc/installation/from-binary.en-us.md
@@ -29,7 +29,7 @@ chmod +x gitea
 Gitea signs all binaries with a [GPG key](https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&search=0x2D9AE806EC1592E2) to prevent against unwanted modification of binaries. To validate the binary download the signature file which ends in `.asc` for the binary you downloaded and use the gpg command line tool.

 ```sh
-gpg --keyserver pgp.mit.edu --recv 0x2D9AE806EC1592E2
+gpg --keyserver pgp.mit.edu --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
 gpg --verify gitea-1.5.0-linux-amd64.asc gitea-1.5.0-linux-amd64
 ```

--- a/docs/content/doc/installation/from-source.en-us.md
+++ b/docs/content/doc/installation/from-source.en-us.md
@@ -66,7 +66,7 @@ provided to keep the build process as simple as possible.
 Depending on requirements, the following build tags can be included.

 * `bindata`: Build a single monolithic binary, with all assets included.
-* `sqlite`: Enable support for a [SQLite3](https://sqlite.org/) database. Suggested only
+* `sqlite sqlite_unlock_notify`: Enable support for a [SQLite3](https://sqlite.org/) database. Suggested only
  for tiny installations.
 * `tidb`: Enable support for a [TiDB](https://github.com/pingcap/tidb) database.
 * `pam`: Enable support for PAM (Linux Pluggable Authentication Modules). Can be used to
--- a/docs/content/doc/installation/from-source.fr-fr.md
+++ b/docs/content/doc/installation/from-source.fr-fr.md
@@ -57,7 +57,7 @@ git checkout pr-xyz
 Comme nous regroupons déjà toutes les bibliothèques requises pour compiler Gitea, vous pouvez continuer avec le processus de compilation lui-même. Nous fournissons diverses [tâches Make](https://github.com/go-gitea/gitea/blob/master/Makefile) pour rendre le processus de construction aussi simple que possible. <a href='{{< relref "doc/advanced/make.fr-fr.md" >}}'>Voyez ici comment obtenir Make</a>. Selon vos besoins, vous pourrez éventuellement ajouter diverses options de compilation, vous pouvez choisir entre ces options :

 * `bindata`: Intègre toutes les ressources nécessaires à l'exécution d'une instance de Gitea, ce qui rend un déploiement facile car il n'est pas nécessaire de se préoccuper des fichiers supplémentaires.
-* `sqlite`: Active la prise en charge d'une base de données [SQLite3](https://sqlite.org/), ceci n'est recommandé que pour les petites installations de Gitea.
+* `sqlite sqlite_unlock_notify`: Active la prise en charge d'une base de données [SQLite3](https://sqlite.org/), ceci n'est recommandé que pour les petites installations de Gitea.
 * `tidb`: Active la prise en charge d'une base de données [TiDB](https://github.com/pingcap/tidb), c'est une base de données simplet et basée sur des fichiers. Elle est comparable à SQLite.
 * `pam`: Active la prise en charge de PAM (mLinux Pluggable Authentication Modules), très utile si vos utilisateurs doivent être authentifiés avec les comptes du système.

--- a/docs/content/doc/installation/from-source.zh-cn.md
+++ b/docs/content/doc/installation/from-source.zh-cn.md
@@ -47,7 +47,7 @@ git checkout v1.0.0
 我们已经将所有的依赖项拷贝到本工程，我们提供了一些 [编译选项](https://github.com/go-gitea/gitea/blob/master/Makefile) 来让编译更简单。你可以按照你的需求来设置编译开关，可用编译选项如下：

 * `bindata`: 这个编译选项将会把运行Gitea所需的所有外部资源都打包到可执行文件中，这样部署将非常简单因为除了可执行程序将不再需要任何其他文件。
-* `sqlite`: 这个编译选项将启用SQLite3数据库的支持，建议只在少数人使用时使用这个模式。
+* `sqlite sqlite_unlock_notify`: 这个编译选项将启用SQLite3数据库的支持，建议只在少数人使用时使用这个模式。
 * `tidb`: 这个编译选项启用tidb嵌入式数据库的支持，他跟SQLite类似但是是用纯Go编写的。
 * `pam`: 这个编译选项将会启用 PAM (Linux Pluggable Authentication Modules) 认证，如果你使用这一认证模式的话需要开启这个选项。

--- a/docs/content/doc/installation/from-source.zh-tw.md
+++ b/docs/content/doc/installation/from-source.zh-tw.md
@@ -47,7 +47,7 @@ git checkout v1.0.0
 完成設定相依性套件環境等工作後，您就可以開始編譯工作了。我們提供了不同的[編譯選項](https://github.com/go-gitea/gitea/blob/master/Makefile) ，讓編譯過程更加簡單。您可以根據需求來調整編譯選項，底下是可用的編譯選項說明：

 * `bindata`: 使用此標籤來嵌入所有 Gitea 相關資源，您不用擔心其他額外檔案，對於部署來說非常方便。
-* `sqlite`: 使用此標籤來啟用 [SQLite3](https://sqlite.org/) 資料庫，建議只有少數人時才使用此模式。
+* `sqlite sqlite_unlock_notify`: 使用此標籤來啟用 [SQLite3](https://sqlite.org/) 資料庫，建議只有少數人時才使用此模式。
 * `tidb`: 使用此標籤來啟用 [TiDB](https://github.com/pingcap/tidb) 資料庫，它是檔案形式的資料庫，跟 SQLite 類似。
 * `pam`: 使用此標籤來啟用 PAM (Linux Pluggable Authentication Modules) 認證，對於系統使用者來說，此方式最方便了。

--- a/docs/content/doc/installation/run-as-service-in-ubuntu.zh-cn.md
+++ b/docs/content/doc/installation/run-as-service-in-ubuntu.zh-cn.md
@@ -0,0 +1,63 @@
+---
+date: "2017-07-21T12:00:00+02:00"
+title: "在 Linux 中以 service 方式运行"
+slug: "linux-service"
+weight: 10
+toc: true
+draft: false
+menu:
+  sidebar:
+    parent: "installation"
+    name: "在Linux中以service方式运行"
+    weight: 20
+    identifier: "linux-service"
+---
+
+### 在 Ubuntu 16.04 LTS 中以 service 方式运行
+
+#### systemd 方式
+
+在 terminal 中执行以下命令：
+```
+sudo vim /etc/systemd/system/gitea.service
+```
+
+接着拷贝示例代码 [gitea.service](https://github.com/go-gitea/gitea/blob/master/contrib/systemd/gitea.service) 并取消对任何需要运行在主机上的服务部分的注释，譬如 MySQL。
+
+修改 user，home 目录以及其他必须的初始化参数，如果使用自定义端口，则需修改 PORT 参数，反之如果使用默认端口则需删除 -p 标记。
+
+激活 gitea 并将它作为系统自启动服务：
+```
+sudo systemctl enable gitea
+sudo systemctl start gitea
+```
+
+
+#### 使用 supervisor
+
+在 terminal 中执行以下命令安装 supervisor：
+```
+sudo apt install supervisor
+```
+
+为 supervisor 配置日志路径：
+```
+# assuming gitea is installed in /home/git/gitea/
+mkdir /home/git/gitea/log/supervisor
+```
+
+在文件编辑器中打开 supervisor 的配置文件：
+```
+sudo vim /etc/supervisor/supervisord.conf
+```
+
+增加如下示例配置
+[supervisord config](https://github.com/go-gitea/gitea/blob/master/contrib/supervisor/gitea)。
+
+将 user(git) 和 home(/home/git) 设置为与上文部署中匹配的值。如果使用自定义端口，则需修改 PORT 参数，反之如果使用默认端口则需删除 -p 标记。
+
+最后激活 supervisor 并将它作为系统自启动服务：
+```
+sudo systemctl enable supervisor
+sudo systemctl start supervisor
+```
--- a/docs/content/doc/installation/with-docker.en-us.md
+++ b/docs/content/doc/installation/with-docker.en-us.md
@@ -19,8 +19,8 @@ Gitea provides automatically updated Docker images within its Docker Hub organiz
 possible to always use the latest stable tag or to use another service that handles updating
 Docker images.

-This reference setup guides users through the setup based on `docker-compose`, the installation
-of `docker-compose` is out of scope of this documentation. To install `docker-compose` follow
+This reference setup guides users through the setup based on `docker-compose`, but the installation
+of `docker-compose` is out of scope of this documentation. To install `docker-compose` itself follow
 the official [install instructions](https://docs.docker.com/compose/install/).

 ## Basics
@@ -267,3 +267,16 @@ be placed in `/data/gitea` directory. If using host volumes it's quite easy to a
 files; for named volumes this is done through another container or by direct access at
 `/var/lib/docker/volumes/gitea_gitea/_data`. The configuration file will be saved at
 `/data/gitea/conf/app.ini` after the installation.
+
+# Upgrading
+
+:exclamation::exclamation: **Make sure you have volumed data to somewhere outside Docker container** :exclamation::exclamation:**
+
+To upgrade your installation to the latest release:
+```
+# Edit `docker-compose.yml` to update the version, if you have one specified
+# Pull new images
+docker-compose pull
+# Start a new container, automatically removes old one
+docker-compose up -d
+```
--- a/docs/content/doc/usage/command-line.md
+++ b/docs/content/doc/usage/command-line.md
@@ -163,3 +163,24 @@ for automatic deployments.
            - `gitea generate secret INTERNAL_TOKEN`
            - `gitea generate secret LFS_JWT_SECRET`
            - `gitea generate secret SECRET_KEY`
+
+#### keys
+
+Provides an SSHD AuthorizedKeysCommand. Needs to be configured in the sshd config file:
+
+```ini
+...
+# The value of -e and the AuthorizedKeysCommandUser should match the
+# username running gitea
+AuthorizedKeysCommandUser git
+AuthorizedKeysCommand /path/to/gitea keys -e git -u %u -t %t -k %k
+```
+
+The command will return the appropriate authorized_keys line for the
+provided key. You should also set the value
+`SSH_CREATE_AUTHORIZED_KEYS_FILE=false` in the `[server]` section of
+`app.ini`.
+
+NB: opensshd requires the gitea program to be owned by root and not
+writable by group or others. The program must be specified by an absolute
+path.
--- a/docs/content/doc/usage/https-support.md
+++ b/docs/content/doc/usage/https-support.md
@@ -30,8 +30,22 @@ HTTP_PORT = 3000
 CERT_FILE = cert.pem
 KEY_FILE = key.pem
 ```
+
 To learn more about the config values, please checkout the [Config Cheat Sheet](../config-cheat-sheet#server).

+### Setting-up HTTP redirection
+
+The Gitea server is only able to listen to one port; to redirect HTTP requests to the HTTPS port, you will need to enable the HTTP redirection service:
+
+```ini
+[server]
+REDIRECT_OTHER_PORT = true
+; Port the redirection service should listen on
+PORT_TO_REDIRECT = 3080
+```
+
+If you are using Docker, make sure that this port is configured in your `docker-compose.yml` file.
+
 ## Using Let's Encrypt

 [Let's Encrypt](https://letsencrypt.org/) is a Certificate Authority that allows you to automatically request and renew SSL/TLS certificates. In addition to starting Gitea on your configured port, to request HTTPS certificates Gitea will also need to listed on port 80, and will set up an autoredirect to HTTPS for you. Let's Encrypt will need to be able to access Gitea via the Internet to verify your ownership of the domain.
--- a/integrations/api_admin_test.go
+++ b/integrations/api_admin_test.go
@@ -39,8 +39,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 		OwnerID:     keyOwner.ID,
 	})

-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
-		keyOwner.Name, newPublicKey.ID)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
+		keyOwner.Name, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusNoContent)
 	models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
 }
@@ -51,7 +51,7 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
 	session := loginUser(t, "user1")

 	token := getTokenForLoggedInUser(t, session)
-	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token="+token, models.NonexistentID)
+	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)
 	session.MakeRequest(t, req, http.StatusNotFound)
 }

@@ -73,8 +73,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {

 	session = loginUser(t, normalUsername)
 	token = getTokenForLoggedInUser(t, session)
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
-		adminUsername, newPublicKey.ID)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
+		adminUsername, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusForbidden)
 }

--- a/integrations/api_keys_test.go
+++ b/integrations/api_keys_test.go
@@ -7,8 +7,11 @@ package integrations
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"testing"

+	"github.com/stretchr/testify/assert"
+
 	"code.gitea.io/gitea/models"
 	api "code.gitea.io/sdk/gitea"
 )
@@ -90,3 +93,102 @@ func TestCreateReadWriteDeployKey(t *testing.T) {
 		Mode:    models.AccessModeWrite,
 	})
 }
+
+func TestCreateUserKey(t *testing.T) {
+	prepareTestEnv(t)
+	user := models.AssertExistsAndLoadBean(t, &models.User{Name: "user1"}).(*models.User)
+
+	session := loginUser(t, "user1")
+	token := url.QueryEscape(getTokenForLoggedInUser(t, session))
+	keysURL := fmt.Sprintf("/api/v1/user/keys?token=%s", token)
+	keyType := "ssh-rsa"
+	keyContent := "AAAAB3NzaC1yc2EAAAADAQABAAABAQCyTiPTeHJl6Gs5D1FyHT0qTWpVkAy9+LIKjctQXklrePTvUNVrSpt4r2exFYXNMPeA8V0zCrc3Kzs1SZw3jWkG3i53te9onCp85DqyatxOD2pyZ30/gPn1ZUg40WowlFM8gsUFMZqaH7ax6d8nsBKW7N/cRyqesiOQEV9up3tnKjIB8XMTVvC5X4rBWgywz7AFxSv8mmaTHnUgVW4LgMPwnTWo0pxtiIWbeMLyrEE4hIM74gSwp6CRQYo6xnG3fn4yWkcK2X2mT9adQ241IDdwpENJHcry/T6AJ8dNXduEZ67egnk+rVlQ2HM4LpymAv9DAAFFeaQK0hT+3aMDoumV"
+	rawKeyBody := api.CreateKeyOption{
+		Title: "test-key",
+		Key:   keyType + " " + keyContent,
+	}
+	req := NewRequestWithJSON(t, "POST", keysURL, rawKeyBody)
+	resp := session.MakeRequest(t, req, http.StatusCreated)
+
+	var newPublicKey api.PublicKey
+	DecodeJSON(t, resp, &newPublicKey)
+	models.AssertExistsAndLoadBean(t, &models.PublicKey{
+		ID:      newPublicKey.ID,
+		OwnerID: user.ID,
+		Name:    rawKeyBody.Title,
+		Content: rawKeyBody.Key,
+		Mode:    models.AccessModeWrite,
+	})
+
+	// Search by fingerprint
+	fingerprintURL := fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%s", token, newPublicKey.Fingerprint)
+
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	var fingerprintPublicKeys []api.PublicKey
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Equal(t, newPublicKey.Fingerprint, fingerprintPublicKeys[0].Fingerprint)
+	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
+	assert.Equal(t, user.ID, fingerprintPublicKeys[0].Owner.ID)
+
+	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", user.Name, token, newPublicKey.Fingerprint)
+
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Equal(t, newPublicKey.Fingerprint, fingerprintPublicKeys[0].Fingerprint)
+	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
+	assert.Equal(t, user.ID, fingerprintPublicKeys[0].Owner.ID)
+
+	// Fail search by fingerprint
+	fingerprintURL = fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%sA", token, newPublicKey.Fingerprint)
+
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Len(t, fingerprintPublicKeys, 0)
+
+	// Fail searching for wrong users key
+	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", "user2", token, newPublicKey.Fingerprint)
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Len(t, fingerprintPublicKeys, 0)
+
+	// Now login as user 2
+	session2 := loginUser(t, "user2")
+	token2 := url.QueryEscape(getTokenForLoggedInUser(t, session2))
+
+	// Should find key even though not ours, but we shouldn't know whose it is
+	fingerprintURL = fmt.Sprintf("/api/v1/user/keys?token=%s&fingerprint=%s", token2, newPublicKey.Fingerprint)
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Equal(t, newPublicKey.Fingerprint, fingerprintPublicKeys[0].Fingerprint)
+	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
+	assert.Nil(t, fingerprintPublicKeys[0].Owner)
+
+	// Should find key even though not ours, but we shouldn't know whose it is
+	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", user.Name, token2, newPublicKey.Fingerprint)
+
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Equal(t, newPublicKey.Fingerprint, fingerprintPublicKeys[0].Fingerprint)
+	assert.Equal(t, newPublicKey.ID, fingerprintPublicKeys[0].ID)
+	assert.Nil(t, fingerprintPublicKeys[0].Owner)
+
+	// Fail when searching for key if it is not ours
+	fingerprintURL = fmt.Sprintf("/api/v1/users/%s/keys?token=%s&fingerprint=%s", "user2", token2, newPublicKey.Fingerprint)
+	req = NewRequest(t, "GET", fingerprintURL)
+	resp = session.MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &fingerprintPublicKeys)
+	assert.Len(t, fingerprintPublicKeys, 0)
+}
--- a/integrations/api_org_test.go
+++ b/integrations/api_org_test.go
@@ -0,0 +1,48 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"strings"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+	api "code.gitea.io/sdk/gitea"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIOrg(t *testing.T) {
+	prepareTestEnv(t)
+
+	session := loginUser(t, "user1")
+
+	token := getTokenForLoggedInUser(t, session)
+	var org = api.CreateOrgOption{
+		UserName:    "user1_org",
+		FullName:    "User1's organization",
+		Description: "This organization created by user1",
+		Website:     "https://try.gitea.io",
+		Location:    "Shanghai",
+	}
+	req := NewRequestWithJSON(t, "POST", "/api/v1/orgs?token="+token, &org)
+	resp := session.MakeRequest(t, req, http.StatusCreated)
+
+	var apiOrg api.Organization
+	DecodeJSON(t, resp, &apiOrg)
+
+	assert.Equal(t, org.UserName, apiOrg.UserName)
+	assert.Equal(t, org.FullName, apiOrg.FullName)
+	assert.Equal(t, org.Description, apiOrg.Description)
+	assert.Equal(t, org.Website, apiOrg.Website)
+	assert.Equal(t, org.Location, apiOrg.Location)
+
+	models.AssertExistsAndLoadBean(t, &models.User{
+		Name:      org.UserName,
+		LowerName: strings.ToLower(org.UserName),
+		FullName:  org.FullName,
+	})
+}
--- a/integrations/api_repo_git_ref_test.go
+++ b/integrations/api_repo_git_ref_test.go
@@ -0,0 +1,34 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"testing"
+
+	"code.gitea.io/gitea/models"
+)
+
+func TestAPIReposGitRefs(t *testing.T) {
+	prepareTestEnv(t)
+	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	// Login as User2.
+	session := loginUser(t, user.Name)
+	token := getTokenForLoggedInUser(t, session)
+
+	for _, ref := range [...]string{
+		"refs/heads/master", // Branch
+		"refs/tags/v1.1",    // Tag
+	} {
+		req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/%s?token="+token, user.Name, ref)
+		session.MakeRequest(t, req, http.StatusOK)
+	}
+	// Test getting all refs
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs?token="+token, user.Name)
+	session.MakeRequest(t, req, http.StatusOK)
+	// Test getting non-existent refs
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/repo1/git/refs/heads/unknown?token="+token, user.Name)
+	session.MakeRequest(t, req, http.StatusNotFound)
+}
--- a/integrations/api_repo_test.go
+++ b/integrations/api_repo_test.go
@@ -164,7 +164,7 @@ func TestAPISearchRepo(t *testing.T) {
 					assert.Len(t, body.Data, expected.count)
 					for _, repo := range body.Data {
 						r := getRepo(t, repo.ID)
-						hasAccess, err := models.HasAccess(userID, r, models.AccessModeRead)
+						hasAccess, err := models.HasAccess(userID, r)
 						assert.NoError(t, err)
 						assert.True(t, hasAccess)

@@ -212,21 +212,46 @@ func TestAPIViewRepo(t *testing.T) {
 func TestAPIOrgRepos(t *testing.T) {
 	prepareTestEnv(t)
 	user := models.AssertExistsAndLoadBean(t, &models.User{ID: 2}).(*models.User)
+	user2 := models.AssertExistsAndLoadBean(t, &models.User{ID: 1}).(*models.User)
+	user3 := models.AssertExistsAndLoadBean(t, &models.User{ID: 5}).(*models.User)
 	// User3 is an Org. Check their repos.
 	sourceOrg := models.AssertExistsAndLoadBean(t, &models.User{ID: 3}).(*models.User)
-	// Login as User2.
-	session := loginUser(t, user.Name)
-	token := getTokenForLoggedInUser(t, session)
-	req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
-	resp := session.MakeRequest(t, req, http.StatusOK)

-	var apiRepos []*api.Repository
-	DecodeJSON(t, resp, &apiRepos)
-	expectedLen := models.GetCount(t, models.Repository{OwnerID: sourceOrg.ID},
-		models.Cond("is_private = ?", false))
-	assert.Len(t, apiRepos, expectedLen)
-	for _, repo := range apiRepos {
-		assert.False(t, repo.Private)
+	expectedResults := map[*models.User]struct {
+		count           int
+		includesPrivate bool
+	}{
+		nil:   {count: 1},
+		user:  {count: 2, includesPrivate: true},
+		user2: {count: 3, includesPrivate: true},
+		user3: {count: 1},
+	}
+
+	for userToLogin, expected := range expectedResults {
+		var session *TestSession
+		var testName string
+		var token string
+		if userToLogin != nil && userToLogin.ID > 0 {
+			testName = fmt.Sprintf("LoggedUser%d", userToLogin.ID)
+			session = loginUser(t, userToLogin.Name)
+			token = getTokenForLoggedInUser(t, session)
+		} else {
+			testName = "AnonymousUser"
+			session = emptyTestSession(t)
+		}
+		t.Run(testName, func(t *testing.T) {
+			req := NewRequestf(t, "GET", "/api/v1/orgs/%s/repos?token="+token, sourceOrg.Name)
+			resp := session.MakeRequest(t, req, http.StatusOK)
+
+			var apiRepos []*api.Repository
+			DecodeJSON(t, resp, &apiRepos)
+			assert.Len(t, apiRepos, expected.count)
+			for _, repo := range apiRepos {
+				if !expected.includesPrivate {
+					assert.False(t, repo.Private)
+				}
+			}
+		})
 	}
 }

--- a/integrations/api_user_heatmap_test.go
+++ b/integrations/api_user_heatmap_test.go
@@ -0,0 +1,30 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.package models
+
+package integrations
+
+import (
+	"code.gitea.io/gitea/models"
+	"fmt"
+	"github.com/stretchr/testify/assert"
+	"net/http"
+	"testing"
+)
+
+func TestUserHeatmap(t *testing.T) {
+	prepareTestEnv(t)
+	adminUsername := "user1"
+	normalUsername := "user2"
+	session := loginUser(t, adminUsername)
+
+	urlStr := fmt.Sprintf("/api/v1/users/%s/heatmap", normalUsername)
+	req := NewRequest(t, "GET", urlStr)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var heatmap []*models.UserHeatmapData
+	DecodeJSON(t, resp, &heatmap)
+	var dummyheatmap []*models.UserHeatmapData
+	dummyheatmap = append(dummyheatmap, &models.UserHeatmapData{Timestamp: 1540080000, Contributions: 1})
+
+	assert.Equal(t, dummyheatmap, heatmap)
+}
--- a/integrations/api_user_orgs_test.go
+++ b/integrations/api_user_orgs_test.go
@@ -0,0 +1,63 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.package models
+
+package integrations
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	api "code.gitea.io/sdk/gitea"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUserOrgs(t *testing.T) {
+	prepareTestEnv(t)
+	adminUsername := "user1"
+	normalUsername := "user2"
+	session := loginUser(t, adminUsername)
+	token := getTokenForLoggedInUser(t, session)
+	urlStr := fmt.Sprintf("/api/v1/users/%s/orgs?token=%s", normalUsername, token)
+	req := NewRequest(t, "GET", urlStr)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var orgs []*api.Organization
+	DecodeJSON(t, resp, &orgs)
+
+	assert.Equal(t, []*api.Organization{
+		{
+			ID:          3,
+			UserName:    "user3",
+			FullName:    "User Three",
+			AvatarURL:   "https://secure.gravatar.com/avatar/97d6d9441ff85fdc730e02a6068d267b?d=identicon",
+			Description: "",
+			Website:     "",
+			Location:    "",
+		},
+	}, orgs)
+}
+
+func TestMyOrgs(t *testing.T) {
+	prepareTestEnv(t)
+
+	normalUsername := "user2"
+	session := loginUser(t, normalUsername)
+	token := getTokenForLoggedInUser(t, session)
+	req := NewRequest(t, "GET", "/api/v1/user/orgs?token="+token)
+	resp := session.MakeRequest(t, req, http.StatusOK)
+	var orgs []*api.Organization
+	DecodeJSON(t, resp, &orgs)
+
+	assert.Equal(t, []*api.Organization{
+		{
+			ID:          3,
+			UserName:    "user3",
+			FullName:    "User Three",
+			AvatarURL:   "https://secure.gravatar.com/avatar/97d6d9441ff85fdc730e02a6068d267b?d=identicon",
+			Description: "",
+			Website:     "",
+			Location:    "",
+		},
+	}, orgs)
+}
--- a/integrations/auth_ldap_test.go
+++ b/integrations/auth_ldap_test.go
@@ -43,6 +43,7 @@ var gitLDAPUsers = []ldapUser{
 		SSHKeys: []string{
 			"SHA256:qLY06smKfHoW/92yXySpnxFR10QFrLdRjf/GNPvwcW8",
 			"SHA256:QlVTuM5OssDatqidn2ffY+Lc4YA5Fs78U+0KOHI51jQ",
+			"SHA256:DXdeUKYOJCSSmClZuwrb60hUq7367j4fA+udNC3FdRI",
 		},
 		IsAdmin: true,
 	},
--- a/integrations/benchmarks_test.go
+++ b/integrations/benchmarks_test.go
@@ -102,7 +102,7 @@ func BenchmarkRepoBranchCommit(b *testing.B) {
 				branchCount := len(branches)
 				b.ResetTimer() //We measure from here
 				for i := 0; i < b.N; i++ {
-					req := NewRequestf(b, "GET", "/%s/%s/commits/%s", owner.Name, repo.Name, branches[i%branchCount])
+					req := NewRequestf(b, "GET", "/%s/%s/commits/%s", owner.Name, repo.Name, branches[i%branchCount].Name)
 					session.MakeRequest(b, req, http.StatusOK)
 				}
 			})
--- a/integrations/download_test.go
+++ b/integrations/download_test.go
@@ -0,0 +1,24 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package integrations
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDownloadByID(t *testing.T) {
+	prepareTestEnv(t)
+
+	session := loginUser(t, "user2")
+
+	// Request raw blob
+	req := NewRequest(t, "GET", "/user2/repo1/raw/blob/4b4851ad51df6a7d9f25c979345979eaeb5b349f")
+	resp := session.MakeRequest(t, req, http.StatusOK)
+
+	assert.Equal(t, "# repo1\n\nDescription for repo1", resp.Body.String())
+}
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -143,7 +143,8 @@ func TestGit(t *testing.T) {

 			session := loginUser(t, "user1")
 			keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
-			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", keyOwner.Name)
+			token := getTokenForLoggedInUser(t, session)
+			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)

 			dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
 			assert.NoError(t, err)
--- a/integrations/integration_test.go
+++ b/integrations/integration_test.go
@@ -47,6 +47,8 @@ func TestMain(m *testing.M) {
 		helper = &testfixtures.PostgreSQL{}
 	} else if setting.UseSQLite3 {
 		helper = &testfixtures.SQLite{}
+	} else if setting.UseMSSQL {
+		helper = &testfixtures.SQLServer{}
 	} else {
 		fmt.Println("Unsupported RDBMS for integration tests")
 		os.Exit(1)
@@ -97,6 +99,7 @@ func initIntegrationTest() {
 	}

 	setting.NewContext()
+	setting.CheckLFSVersion()
 	models.LoadConfigs()

 	switch {
@@ -130,6 +133,17 @@ func initIntegrationTest() {
 		if _, err = db.Exec("CREATE DATABASE testgitea"); err != nil {
 			log.Fatalf("db.Exec: %v", err)
 		}
+	case setting.UseMSSQL:
+		host, port := models.ParseMSSQLHostPort(models.DbCfg.Host)
+		db, err := sql.Open("mssql", fmt.Sprintf("server=%s; port=%s; database=%s; user id=%s; password=%s;",
+			host, port, "master", models.DbCfg.User, models.DbCfg.Passwd))
+		if err != nil {
+			log.Fatalf("sql.Open: %v", err)
+		}
+		if _, err := db.Exec("If(db_id(N'gitea') IS NULL) BEGIN CREATE DATABASE gitea; END;"); err != nil {
+			log.Fatalf("db.Exec: %v", err)
+		}
+		defer db.Close()
 	}
 	routers.GlobalInit()
 }
--- a/integrations/mssql.ini.tmpl
+++ b/integrations/mssql.ini.tmpl
@@ -0,0 +1,72 @@
+APP_NAME = Gitea: Git with a cup of tea
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = mssql
+HOST     = {{TEST_MSSQL_HOST}}
+NAME     = {{TEST_MSSQL_DBNAME}}
+USER     = {{TEST_MSSQL_USERNAME}}
+PASSWD   = {{TEST_MSSQL_PASSWORD}}
+SSL_MODE = disable
+
+[indexer]
+ISSUE_INDEXER_PATH = integrations/indexers-mssql/issues.bleve
+REPO_INDEXER_ENABLED = true
+REPO_INDEXER_PATH = integrations/indexers-mssql/repos.bleve
+
+[repository]
+ROOT = integrations/gitea-integration-mssql/gitea-repositories
+
+[repository.local]
+LOCAL_COPY_PATH = tmp/local-repo-mssql
+LOCAL_WIKI_PATH = tmp/local-wiki-mssql
+
+[server]
+SSH_DOMAIN       = localhost
+HTTP_PORT        = 3003
+ROOT_URL         = http://localhost:3003/
+DISABLE_SSH      = false
+SSH_LISTEN_HOST  = localhost
+SSH_PORT         = 2201
+START_SSH_SERVER = true
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = data/lfs-mssql
+OFFLINE_MODE     = false
+LFS_JWT_SECRET   = Tv_MjmZuHqpIY6GFl12ebgkRAMt4RlWt0v4EHKSXO0w
+APP_DATA_PATH    = integrations/gitea-integration-mssql/data
+
+[mailer]
+ENABLED = false
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+NO_REPLY_ADDRESS                  = noreply.example.org
+
+[picture]
+DISABLE_GRAVATAR        = false
+ENABLE_FEDERATED_AVATAR = false
+
+[session]
+PROVIDER = file
+PROVIDER_CONFIG = data/sessions-mssql
+
+[log]
+MODE      = console,file
+ROOT_PATH = mssql-log
+
+[log.console]
+LEVEL = Warn
+
+[log.file]
+LEVEL = Debug
+
+[security]
+INSTALL_LOCK   = true
+SECRET_KEY     = 9pCviYTWSb
+INTERNAL_TOKEN = eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE0OTU1NTE2MTh9.hhSVGOANkaKk3vfCd2jDOIww4pUk0xtg9JRde5UogyQ
--- a/integrations/pull_merge_test.go
+++ b/integrations/pull_merge_test.go
@@ -77,6 +77,19 @@ func TestPullRebase(t *testing.T) {
 	testPullMerge(t, session, elem[1], elem[2], elem[4], models.MergeStyleRebase)
 }

+func TestPullRebaseMerge(t *testing.T) {
+	prepareTestEnv(t)
+	session := loginUser(t, "user1")
+	testRepoFork(t, session, "user2", "repo1", "user1", "repo1")
+	testEditFile(t, session, "user1", "repo1", "master", "README.md", "Hello, World (Edited)\n")
+
+	resp := testPullCreate(t, session, "user1", "repo1", "master", "This is a pull title")
+
+	elem := strings.Split(test.RedirectURL(resp), "/")
+	assert.EqualValues(t, "pulls", elem[3])
+	testPullMerge(t, session, elem[1], elem[2], elem[4], models.MergeStyleRebaseMerge)
+}
+
 func TestPullSquash(t *testing.T) {
 	prepareTestEnv(t)
 	session := loginUser(t, "user1")
--- a/main.go
+++ b/main.go
@@ -8,11 +8,13 @@ package main // import "code.gitea.io/gitea"

 import (
 	"os"
+	"runtime"
 	"strings"

 	"code.gitea.io/gitea/cmd"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+
 	// register supported doc types
 	_ "code.gitea.io/gitea/modules/markup/csv"
 	_ "code.gitea.io/gitea/modules/markup/markdown"
@@ -47,8 +49,10 @@ arguments - which can alternatively be run by running the subcommand web.`
 		cmd.CmdCert,
 		cmd.CmdAdmin,
 		cmd.CmdGenerate,
+		cmd.CmdMigrate,
+		cmd.CmdKeys,
 	}
-	app.Flags = append(app.Flags, []cli.Flag{}...)
+	app.Flags = append(app.Flags, cmd.CmdWeb.Flags...)
 	app.Action = cmd.CmdWeb.Action
 	err := app.Run(os.Args)
 	if err != nil {
@@ -58,8 +62,8 @@ arguments - which can alternatively be run by running the subcommand web.`

 func formatBuiltWith(Tags string) string {
 	if len(Tags) == 0 {
-		return ""
+		return " built with " + runtime.Version()
 	}

-	return " built with: " + strings.Replace(Tags, " ", ", ", -1)
+	return " built with " + runtime.Version() + " : " + strings.Replace(Tags, " ", ", ", -1)
 }
--- a/models/access.go
+++ b/models/access.go
@@ -80,22 +80,6 @@ func accessLevel(e Engine, userID int64, repo *Repository) (AccessMode, error) {
 	return a.Mode, nil
 }

-// AccessLevel returns the Access a user has to a repository. Will return NoneAccess if the
-// user does not have access.
-func AccessLevel(userID int64, repo *Repository) (AccessMode, error) {
-	return accessLevel(x, userID, repo)
-}
-
-func hasAccess(e Engine, userID int64, repo *Repository, testMode AccessMode) (bool, error) {
-	mode, err := accessLevel(e, userID, repo)
-	return testMode <= mode, err
-}
-
-// HasAccess returns true if user has access to repo
-func HasAccess(userID int64, repo *Repository, testMode AccessMode) (bool, error) {
-	return hasAccess(x, userID, repo, testMode)
-}
-
 type repoAccess struct {
 	Access     `xorm:"extends"`
 	Repository `xorm:"extends"`
--- a/models/access_test.go
+++ b/models/access_test.go
@@ -20,28 +20,28 @@ var accessModes = []AccessMode{
 func TestAccessLevel(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())

-	user1 := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
-	user2 := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
+	user2 := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
+	user5 := AssertExistsAndLoadBean(t, &User{ID: 5}).(*User)
 	// A public repository owned by User 2
 	repo1 := AssertExistsAndLoadBean(t, &Repository{ID: 1}).(*Repository)
 	assert.False(t, repo1.IsPrivate)
 	// A private repository owned by Org 3
-	repo2 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
-	assert.True(t, repo2.IsPrivate)
+	repo3 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
+	assert.True(t, repo3.IsPrivate)

-	level, err := AccessLevel(user1.ID, repo1)
+	level, err := AccessLevel(user2, repo1)
 	assert.NoError(t, err)
 	assert.Equal(t, AccessModeOwner, level)

-	level, err = AccessLevel(user1.ID, repo2)
+	level, err = AccessLevel(user2, repo3)
 	assert.NoError(t, err)
-	assert.Equal(t, AccessModeWrite, level)
+	assert.Equal(t, AccessModeOwner, level)

-	level, err = AccessLevel(user2.ID, repo1)
+	level, err = AccessLevel(user5, repo1)
 	assert.NoError(t, err)
 	assert.Equal(t, AccessModeRead, level)

-	level, err = AccessLevel(user2.ID, repo2)
+	level, err = AccessLevel(user5, repo3)
 	assert.NoError(t, err)
 	assert.Equal(t, AccessModeNone, level)
 }
@@ -58,23 +58,18 @@ func TestHasAccess(t *testing.T) {
 	repo2 := AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
 	assert.True(t, repo2.IsPrivate)

-	for _, accessMode := range accessModes {
-		has, err := HasAccess(user1.ID, repo1, accessMode)
-		assert.NoError(t, err)
-		assert.True(t, has)
+	has, err := HasAccess(user1.ID, repo1)
+	assert.NoError(t, err)
+	assert.True(t, has)

-		has, err = HasAccess(user1.ID, repo2, accessMode)
-		assert.NoError(t, err)
-		assert.Equal(t, accessMode <= AccessModeWrite, has)
+	has, err = HasAccess(user1.ID, repo2)
+	assert.NoError(t, err)

-		has, err = HasAccess(user2.ID, repo1, accessMode)
-		assert.NoError(t, err)
-		assert.Equal(t, accessMode <= AccessModeRead, has)
+	has, err = HasAccess(user2.ID, repo1)
+	assert.NoError(t, err)

-		has, err = HasAccess(user2.ID, repo2, accessMode)
-		assert.NoError(t, err)
-		assert.Equal(t, accessMode <= AccessModeNone, has)
-	}
+	has, err = HasAccess(user2.ID, repo2)
+	assert.NoError(t, err)
 }

 func TestUser_GetRepositoryAccesses(t *testing.T) {
--- a/models/action.go
+++ b/models/action.go
@@ -194,6 +194,10 @@ func (a *Action) GetRepoLink() string {

 // GetCommentLink returns link to action comment.
 func (a *Action) GetCommentLink() string {
+	return a.getCommentLink(x)
+}
+
+func (a *Action) getCommentLink(e Engine) string {
 	if a == nil {
 		return "#"
 	}
@@ -213,11 +217,15 @@ func (a *Action) GetCommentLink() string {
 		return "#"
 	}

-	issue, err := GetIssueByID(issueID)
+	issue, err := getIssueByID(e, issueID)
 	if err != nil {
 		return "#"
 	}

+	if err = issue.loadRepo(e); err != nil {
+		return "#"
+	}
+
 	return issue.HTMLURL()
 }

@@ -330,13 +338,15 @@ type PushCommits struct {
 	Commits    []*PushCommit
 	CompareURL string

-	avatars map[string]string
+	avatars    map[string]string
+	emailUsers map[string]*User
 }

 // NewPushCommits creates a new PushCommits object.
 func NewPushCommits() *PushCommits {
 	return &PushCommits{
-		avatars: make(map[string]string),
+		avatars:    make(map[string]string),
+		emailUsers: make(map[string]*User),
 	}
 }

@@ -344,16 +354,34 @@ func NewPushCommits() *PushCommits {
 // api.PayloadCommit format.
 func (pc *PushCommits) ToAPIPayloadCommits(repoLink string) []*api.PayloadCommit {
 	commits := make([]*api.PayloadCommit, len(pc.Commits))
+
+	if pc.emailUsers == nil {
+		pc.emailUsers = make(map[string]*User)
+	}
+	var err error
 	for i, commit := range pc.Commits {
 		authorUsername := ""
-		author, err := GetUserByEmail(commit.AuthorEmail)
-		if err == nil {
+		author, ok := pc.emailUsers[commit.AuthorEmail]
+		if !ok {
+			author, err = GetUserByEmail(commit.AuthorEmail)
+			if err == nil {
+				authorUsername = author.Name
+				pc.emailUsers[commit.AuthorEmail] = author
+			}
+		} else {
 			authorUsername = author.Name
 		}
+
 		committerUsername := ""
-		committer, err := GetUserByEmail(commit.CommitterEmail)
-		if err == nil {
-			// TODO: check errors other than email not found.
+		committer, ok := pc.emailUsers[commit.CommitterEmail]
+		if !ok {
+			committer, err = GetUserByEmail(commit.CommitterEmail)
+			if err == nil {
+				// TODO: check errors other than email not found.
+				committerUsername = committer.Name
+				pc.emailUsers[commit.CommitterEmail] = committer
+			}
+		} else {
 			committerUsername = committer.Name
 		}
 		commits[i] = &api.PayloadCommit{
@@ -379,18 +407,28 @@ func (pc *PushCommits) ToAPIPayloadCommits(repoLink string) []*api.PayloadCommit
 // AvatarLink tries to match user in database with e-mail
 // in order to show custom avatar, and falls back to general avatar link.
 func (pc *PushCommits) AvatarLink(email string) string {
-	_, ok := pc.avatars[email]
+	avatar, ok := pc.avatars[email]
+	if ok {
+		return avatar
+	}
+
+	u, ok := pc.emailUsers[email]
 	if !ok {
-		u, err := GetUserByEmail(email)
+		var err error
+		u, err = GetUserByEmail(email)
 		if err != nil {
 			pc.avatars[email] = base.AvatarLink(email)
 			if !IsErrUserNotExist(err) {
 				log.Error(4, "GetUserByEmail: %v", err)
+				return ""
 			}
 		} else {
-			pc.avatars[email] = u.RelAvatarLink()
+			pc.emailUsers[email] = u
 		}
 	}
+	if u != nil {
+		pc.avatars[email] = u.RelAvatarLink()
+	}

 	return pc.avatars[email]
 }
@@ -438,8 +476,34 @@ func getIssueFromRef(repo *Repository, ref string) (*Issue, error) {
 	return issue, nil
 }

+func changeIssueStatus(repo *Repository, doer *User, ref string, refMarked map[int64]bool, status bool) error {
+	issue, err := getIssueFromRef(repo, ref)
+	if err != nil {
+		return err
+	}
+
+	if issue == nil || refMarked[issue.ID] {
+		return nil
+	}
+	refMarked[issue.ID] = true
+
+	if issue.RepoID != repo.ID || issue.IsClosed == status {
+		return nil
+	}
+
+	issue.Repo = repo
+	if err = issue.ChangeStatus(doer, status); err != nil {
+		// Don't return an error when dependencies are open as this would let the push fail
+		if IsErrDependenciesLeft(err) {
+			return nil
+		}
+		return err
+	}
+	return nil
+}
+
 // UpdateIssuesCommit checks if issues are manipulated by commit message.
-func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit) error {
+func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, branchName string) error {
 	// Commits are appended in the reverse order.
 	for i := len(commits) - 1; i >= 0; i-- {
 		c := commits[i]
@@ -462,49 +526,21 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit) err
 			}
 		}

+		// Change issue status only if the commit has been pushed to the default branch.
+		if repo.DefaultBranch != branchName {
+			continue
+		}
+
 		refMarked = make(map[int64]bool)
-		// FIXME: can merge this one and next one to a common function.
 		for _, ref := range issueCloseKeywordsPat.FindAllString(c.Message, -1) {
-			issue, err := getIssueFromRef(repo, ref)
-			if err != nil {
-				return err
-			}
-
-			if issue == nil || refMarked[issue.ID] {
-				continue
-			}
-			refMarked[issue.ID] = true
-
-			if issue.RepoID != repo.ID || issue.IsClosed {
-				continue
-			}
-
-			if err = issue.ChangeStatus(doer, repo, true); err != nil {
-				// Don't return an error when dependencies are open as this would let the push fail
-				if IsErrDependenciesLeft(err) {
-					return nil
-				}
+			if err := changeIssueStatus(repo, doer, ref, refMarked, true); err != nil {
 				return err
 			}
 		}

 		// It is conflict to have close and reopen at same time, so refsMarked doesn't need to reinit here.
 		for _, ref := range issueReopenKeywordsPat.FindAllString(c.Message, -1) {
-			issue, err := getIssueFromRef(repo, ref)
-			if err != nil {
-				return err
-			}
-
-			if issue == nil || refMarked[issue.ID] {
-				continue
-			}
-			refMarked[issue.ID] = true
-
-			if issue.RepoID != repo.ID || !issue.IsClosed {
-				continue
-			}
-
-			if err = issue.ChangeStatus(doer, repo, false); err != nil {
+			if err := changeIssueStatus(repo, doer, ref, refMarked, false); err != nil {
 				return err
 			}
 		}
@@ -569,7 +605,7 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 			opts.Commits.CompareURL = repo.ComposeCompareURL(opts.OldCommitID, opts.NewCommitID)
 		}

-		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits); err != nil {
+		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits, refName); err != nil {
 			log.Error(4, "updateIssuesCommit: %v", err)
 		}
 	}
--- a/models/action_test.go
+++ b/models/action_test.go
@@ -227,10 +227,37 @@ func TestUpdateIssuesCommit(t *testing.T) {

 	AssertNotExistsBean(t, commentBean)
 	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 2}, "is_closed=1")
-	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits))
+	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, repo.DefaultBranch))
 	AssertExistsAndLoadBean(t, commentBean)
 	AssertExistsAndLoadBean(t, issueBean, "is_closed=1")
 	CheckConsistencyFor(t, &Action{})
+
+	// Test that push to a non-default branch closes no issue.
+	pushCommits = []*PushCommit{
+		{
+			Sha1:           "abcdef1",
+			CommitterEmail: "user2@example.com",
+			CommitterName:  "User Two",
+			AuthorEmail:    "user4@example.com",
+			AuthorName:     "User Four",
+			Message:        "close #1",
+		},
+	}
+	repo = AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
+	commentBean = &Comment{
+		Type:      CommentTypeCommitRef,
+		CommitSHA: "abcdef1",
+		PosterID:  user.ID,
+		IssueID:   6,
+	}
+	issueBean = &Issue{RepoID: repo.ID, Index: 1}
+
+	AssertNotExistsBean(t, commentBean)
+	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 1}, "is_closed=1")
+	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, "non-existing-branch"))
+	AssertExistsAndLoadBean(t, commentBean)
+	AssertNotExistsBean(t, issueBean, "is_closed=1")
+	CheckConsistencyFor(t, &Action{})
 }

 func testCorrectRepoAction(t *testing.T, opts CommitRepoActionOptions, actionBean *Action) {
--- a/models/branches.go
+++ b/models/branches.go
@@ -23,18 +23,21 @@ const (

 // ProtectedBranch struct
 type ProtectedBranch struct {
-	ID                    int64  `xorm:"pk autoincr"`
-	RepoID                int64  `xorm:"UNIQUE(s)"`
-	BranchName            string `xorm:"UNIQUE(s)"`
-	CanPush               bool   `xorm:"NOT NULL DEFAULT false"`
-	EnableWhitelist       bool
-	WhitelistUserIDs      []int64        `xorm:"JSON TEXT"`
-	WhitelistTeamIDs      []int64        `xorm:"JSON TEXT"`
-	EnableMergeWhitelist  bool           `xorm:"NOT NULL DEFAULT false"`
-	MergeWhitelistUserIDs []int64        `xorm:"JSON TEXT"`
-	MergeWhitelistTeamIDs []int64        `xorm:"JSON TEXT"`
-	CreatedUnix           util.TimeStamp `xorm:"created"`
-	UpdatedUnix           util.TimeStamp `xorm:"updated"`
+	ID                        int64  `xorm:"pk autoincr"`
+	RepoID                    int64  `xorm:"UNIQUE(s)"`
+	BranchName                string `xorm:"UNIQUE(s)"`
+	CanPush                   bool   `xorm:"NOT NULL DEFAULT false"`
+	EnableWhitelist           bool
+	WhitelistUserIDs          []int64        `xorm:"JSON TEXT"`
+	WhitelistTeamIDs          []int64        `xorm:"JSON TEXT"`
+	EnableMergeWhitelist      bool           `xorm:"NOT NULL DEFAULT false"`
+	MergeWhitelistUserIDs     []int64        `xorm:"JSON TEXT"`
+	MergeWhitelistTeamIDs     []int64        `xorm:"JSON TEXT"`
+	ApprovalsWhitelistUserIDs []int64        `xorm:"JSON TEXT"`
+	ApprovalsWhitelistTeamIDs []int64        `xorm:"JSON TEXT"`
+	RequiredApprovals         int64          `xorm:"NOT NULL DEFAULT 0"`
+	CreatedUnix               util.TimeStamp `xorm:"created"`
+	UpdatedUnix               util.TimeStamp `xorm:"updated"`
 }

 // IsProtected returns if the branch is protected
@@ -86,6 +89,42 @@ func (protectBranch *ProtectedBranch) CanUserMerge(userID int64) bool {
 	return in
 }

+// HasEnoughApprovals returns true if pr has enough granted approvals.
+func (protectBranch *ProtectedBranch) HasEnoughApprovals(pr *PullRequest) bool {
+	if protectBranch.RequiredApprovals == 0 {
+		return true
+	}
+	return protectBranch.GetGrantedApprovalsCount(pr) >= protectBranch.RequiredApprovals
+}
+
+// GetGrantedApprovalsCount returns the number of granted approvals for pr. A granted approval must be authored by a user in an approval whitelist.
+func (protectBranch *ProtectedBranch) GetGrantedApprovalsCount(pr *PullRequest) int64 {
+	reviews, err := GetReviewersByPullID(pr.Issue.ID)
+	if err != nil {
+		log.Error(1, "GetUniqueApprovalsByPullRequestID:", err)
+		return 0
+	}
+
+	approvals := int64(0)
+	userIDs := make([]int64, 0)
+	for _, review := range reviews {
+		if review.Type != ReviewTypeApprove {
+			continue
+		}
+		if base.Int64sContains(protectBranch.ApprovalsWhitelistUserIDs, review.ID) {
+			approvals++
+			continue
+		}
+		userIDs = append(userIDs, review.ID)
+	}
+	approvalTeamCount, err := UsersInTeamsCount(userIDs, protectBranch.ApprovalsWhitelistTeamIDs)
+	if err != nil {
+		log.Error(1, "UsersInTeamsCount:", err)
+		return 0
+	}
+	return approvalTeamCount + approvals
+}
+
 // GetProtectedBranchByRepoID getting protected branch by repo ID
 func GetProtectedBranchByRepoID(RepoID int64) ([]*ProtectedBranch, error) {
 	protectedBranches := make([]*ProtectedBranch, 0)
@@ -118,40 +157,64 @@ func GetProtectedBranchByID(id int64) (*ProtectedBranch, error) {
 	return rel, nil
 }

+// WhitelistOptions represent all sorts of whitelists used for protected branches
+type WhitelistOptions struct {
+	UserIDs []int64
+	TeamIDs []int64
+
+	MergeUserIDs []int64
+	MergeTeamIDs []int64
+
+	ApprovalsUserIDs []int64
+	ApprovalsTeamIDs []int64
+}
+
 // UpdateProtectBranch saves branch protection options of repository.
 // If ID is 0, it creates a new record. Otherwise, updates existing record.
 // This function also performs check if whitelist user and team's IDs have been changed
 // to avoid unnecessary whitelist delete and regenerate.
-func UpdateProtectBranch(repo *Repository, protectBranch *ProtectedBranch, whitelistUserIDs, whitelistTeamIDs, mergeWhitelistUserIDs, mergeWhitelistTeamIDs []int64) (err error) {
+func UpdateProtectBranch(repo *Repository, protectBranch *ProtectedBranch, opts WhitelistOptions) (err error) {
 	if err = repo.GetOwner(); err != nil {
 		return fmt.Errorf("GetOwner: %v", err)
 	}

-	whitelist, err := updateUserWhitelist(repo, protectBranch.WhitelistUserIDs, whitelistUserIDs)
+	whitelist, err := updateUserWhitelist(repo, protectBranch.WhitelistUserIDs, opts.UserIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.WhitelistUserIDs = whitelist

-	whitelist, err = updateUserWhitelist(repo, protectBranch.MergeWhitelistUserIDs, mergeWhitelistUserIDs)
+	whitelist, err = updateUserWhitelist(repo, protectBranch.MergeWhitelistUserIDs, opts.MergeUserIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.MergeWhitelistUserIDs = whitelist

+	whitelist, err = updateUserWhitelist(repo, protectBranch.ApprovalsWhitelistUserIDs, opts.ApprovalsUserIDs)
+	if err != nil {
+		return err
+	}
+	protectBranch.ApprovalsWhitelistUserIDs = whitelist
+
 	// if the repo is in an organization
-	whitelist, err = updateTeamWhitelist(repo, protectBranch.WhitelistTeamIDs, whitelistTeamIDs)
+	whitelist, err = updateTeamWhitelist(repo, protectBranch.WhitelistTeamIDs, opts.TeamIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.WhitelistTeamIDs = whitelist

-	whitelist, err = updateTeamWhitelist(repo, protectBranch.MergeWhitelistTeamIDs, mergeWhitelistTeamIDs)
+	whitelist, err = updateTeamWhitelist(repo, protectBranch.MergeWhitelistTeamIDs, opts.MergeTeamIDs)
 	if err != nil {
 		return err
 	}
 	protectBranch.MergeWhitelistTeamIDs = whitelist

+	whitelist, err = updateTeamWhitelist(repo, protectBranch.ApprovalsWhitelistTeamIDs, opts.ApprovalsTeamIDs)
+	if err != nil {
+		return err
+	}
+	protectBranch.ApprovalsWhitelistTeamIDs = whitelist
+
 	// Make sure protectBranch.ID is not 0 for whitelists
 	if protectBranch.ID == 0 {
 		if _, err = x.Insert(protectBranch); err != nil {
@@ -213,7 +276,7 @@ func (repo *Repository) IsProtectedBranchForPush(branchName string, doer *User)
 }

 // IsProtectedBranchForMerging checks if branch is protected for merging
-func (repo *Repository) IsProtectedBranchForMerging(branchName string, doer *User) (bool, error) {
+func (repo *Repository) IsProtectedBranchForMerging(pr *PullRequest, branchName string, doer *User) (bool, error) {
 	if doer == nil {
 		return true, nil
 	}
@@ -227,7 +290,7 @@ func (repo *Repository) IsProtectedBranchForMerging(branchName string, doer *Use
 	if err != nil {
 		return true, err
 	} else if has {
-		return !protectedBranch.CanUserMerge(doer.ID), nil
+		return !protectedBranch.CanUserMerge(doer.ID) || !protectedBranch.HasEnoughApprovals(pr), nil
 	}

 	return false, nil
@@ -243,10 +306,16 @@ func updateUserWhitelist(repo *Repository, currentWhitelist, newWhitelist []int6

 	whitelist = make([]int64, 0, len(newWhitelist))
 	for _, userID := range newWhitelist {
-		has, err := hasAccess(x, userID, repo, AccessModeWrite)
+		user, err := GetUserByID(userID)
 		if err != nil {
-			return nil, fmt.Errorf("HasAccess [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
-		} else if !has {
+			return nil, fmt.Errorf("GetUserByID [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+		}
+		perm, err := GetUserRepoPermission(repo, user)
+		if err != nil {
+			return nil, fmt.Errorf("GetUserRepoPermission [user_id: %d, repo_id: %d]: %v", userID, repo.ID, err)
+		}
+
+		if !perm.CanWrite(UnitTypeCode) {
 			continue // Drop invalid user ID
 		}

@@ -264,14 +333,14 @@ func updateTeamWhitelist(repo *Repository, currentWhitelist, newWhitelist []int6
 		return currentWhitelist, nil
 	}

-	teams, err := GetTeamsWithAccessToRepo(repo.OwnerID, repo.ID, AccessModeWrite)
+	teams, err := GetTeamsWithAccessToRepo(repo.OwnerID, repo.ID, AccessModeRead)
 	if err != nil {
 		return nil, fmt.Errorf("GetTeamsWithAccessToRepo [org_id: %d, repo_id: %d]: %v", repo.OwnerID, repo.ID, err)
 	}

 	whitelist = make([]int64, 0, len(teams))
 	for i := range teams {
-		if teams[i].HasWriteAccess() && com.IsSliceContainsInt64(newWhitelist, teams[i].ID) {
+		if com.IsSliceContainsInt64(newWhitelist, teams[i].ID) {
 			whitelist = append(whitelist, teams[i].ID)
 		}
 	}
--- a/models/fixtures/action.yml
+++ b/models/fixtures/action.yml
@@ -5,6 +5,7 @@
  act_user_id: 2
  repo_id: 2
  is_private: true
+  created_unix: 1540139562

 -
  id: 2
--- a/models/fixtures/repo_unit.yml
+++ b/models/fixtures/repo_unit.yml
@@ -30,7 +30,7 @@
  id: 5
  repo_id: 1
  type: 3
-  config: "{\"IgnoreWhitespaceConflicts\":false,\"AllowMerge\":true,\"AllowRebase\":true,\"AllowSquash\":true}"
+  config: "{\"IgnoreWhitespaceConflicts\":false,\"AllowMerge\":true,\"AllowRebase\":true,\"AllowRebaseMerge\":true,\"AllowSquash\":true}"
  created_unix: 946684810

 -
@@ -51,7 +51,7 @@
  id: 8
  repo_id: 3
  type: 3
-  config: "{\"IgnoreWhitespaceConflicts\":true,\"AllowMerge\":true,\"AllowRebase\":false,\"AllowSquash\":false}"
+  config: "{\"IgnoreWhitespaceConflicts\":true,\"AllowMerge\":true,\"AllowRebase\":false,\"AllowRebaseMerge\":true,\"AllowSquash\":false}"
  created_unix: 946684810

 -
@@ -108,4 +108,116 @@
  repo_id: 33
  type: 5
  config: "{}"
-  created_unix: 1535593231
+  created_unix: 1535593231
+
+-
+  id: 17
+  repo_id: 4
+  type: 4
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 18
+  repo_id: 4
+  type: 5
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 19
+  repo_id: 4
+  type: 1
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 20
+  repo_id: 4
+  type: 2
+  config: "{\"EnableTimetracker\":true,\"AllowOnlyContributorsToTrackTime\":true}"
+  created_unix: 946684810
+
+-
+  id: 21
+  repo_id: 4
+  type: 3
+  config: "{\"IgnoreWhitespaceConflicts\":false,\"AllowMerge\":true,\"AllowRebase\":true,\"AllowSquash\":true}"
+  created_unix: 946684810
+
+-
+  id: 22
+  repo_id: 2
+  type: 4
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 23
+  repo_id: 2
+  type: 5
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 24
+  repo_id: 2
+  type: 1
+  config: "{}"
+  created_unix: 946684810
+
+-
+  id: 25
+  repo_id: 32
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 26
+  repo_id: 32
+  type: 2
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 27
+  repo_id: 24
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 28
+  repo_id: 24
+  type: 2
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 29
+  repo_id: 16
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 30
+  repo_id: 23
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 31
+  repo_id: 27
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
+
+-
+  id: 32
+  repo_id: 28
+  type: 1
+  config: "{}"
+  created_unix: 1524304355
--- a/models/fixtures/repository.yml
+++ b/models/fixtures/repository.yml
@@ -391,7 +391,7 @@
  is_mirror: false

 -
-  id: 32
+  id: 32 # org public repo
  owner_id: 3
  lower_name: repo21
  name: repo21
--- a/models/fixtures/review.yml
+++ b/models/fixtures/review.yml
@@ -30,3 +30,43 @@
  content: "Pending Review"
  updated_unix: 946684810
  created_unix: 946684810
+-
+  id: 5
+  type: 2
+  reviewer_id: 1
+  issue_id: 3
+  content: "New review 1"
+  updated_unix: 946684810
+  created_unix: 946684810
+-
+  id: 6
+  type: 0
+  reviewer_id: 2
+  issue_id: 3
+  content: "New review 3"
+  updated_unix: 946684810
+  created_unix: 946684810
+-
+  id: 7
+  type: 3
+  reviewer_id: 3
+  issue_id: 3
+  content: "New review 4"
+  updated_unix: 946684810
+  created_unix: 946684810
+-
+  id: 8
+  type: 1
+  reviewer_id: 4
+  issue_id: 3
+  content: "New review 5"
+  updated_unix: 946684810
+  created_unix: 946684810
+-
+  id: 9
+  type: 3
+  reviewer_id: 2
+  issue_id: 3
+  content: "New review 3 rejected"
+  updated_unix: 946684810
+  created_unix: 946684810
--- a/models/fixtures/team.yml
+++ b/models/fixtures/team.yml
@@ -51,3 +51,30 @@
  authorize: 4 # owner
  num_repos: 2
  num_members: 1
+
+-
+  id: 7
+  org_id: 3
+  lower_name: test_team
+  name: test_team
+  authorize: 2 # write
+  num_repos: 1
+  num_members: 1
+
+-
+  id: 8
+  org_id: 17
+  lower_name: test_team
+  name: test_team
+  authorize: 2 # write
+  num_repos: 1
+  num_members: 1
+
+-
+  id: 9
+  org_id: 17
+  lower_name: review_team
+  name: review_team
+  authorize: 1 # read
+  num_repos: 1
+  num_members: 1
--- a/models/fixtures/team_repo.yml
+++ b/models/fixtures/team_repo.yml
@@ -45,3 +45,21 @@
  org_id: 3
  team_id: 1
  repo_id: 32
+
+-
+  id: 9
+  org_id: 3
+  team_id: 7
+  repo_id: 32
+
+-
+  id: 10
+  org_id: 17
+  team_id: 8
+  repo_id: 24
+
+-
+  id: 11
+  org_id: 17
+  team_id: 9
+  repo_id: 24
--- a/models/fixtures/team_unit.yml
+++ b/models/fixtures/team_unit.yml
@@ -207,3 +207,18 @@
  id: 42
  team_id: 6
  type: 7
+
+-
+  id: 43
+  team_id: 7
+  type: 2 # issues
+
+-
+  id: 44
+  team_id: 8
+  type: 2 # issues
+
+-
+  id: 45
+  team_id: 9
+  type: 1 # code
--- a/models/fixtures/team_user.yml
+++ b/models/fixtures/team_user.yml
@@ -44,4 +44,22 @@
  id: 8
  org_id: 19
  team_id: 6
+  uid: 20
+
+-
+  id: 9
+  org_id: 3
+  team_id: 7
+  uid: 15
+
+-
+  id: 10
+  org_id: 17
+  team_id: 8
+  uid: 2
+
+-
+  id: 11
+  org_id: 17
+  team_id: 9
  uid: 20
--- a/models/fixtures/user.yml
+++ b/models/fixtures/user.yml
@@ -47,7 +47,7 @@
  avatar_email: user3@example.com
  num_repos: 3
  num_members: 2
-  num_teams: 2
+  num_teams: 3

 -
  id: 4
@@ -266,7 +266,7 @@
  num_repos: 2
  is_active: true
  num_members: 2
-  num_teams: 1
+  num_teams: 3

 -
  id: 18
--- a/models/git_diff.go
+++ b/models/git_diff.go
@@ -273,7 +273,7 @@ func (diff *Diff) NumFiles() int {
 }

 // Example: @@ -1,8 +1,9 @@ => [..., 1, 8, 1, 9]
-var hunkRegex = regexp.MustCompile(`^@@ -([0-9]+),([0-9]+) \+([0-9]+)(,([0-9]+))? @@`)
+var hunkRegex = regexp.MustCompile(`^@@ -(?P<beginOld>[0-9]+)(,(?P<endOld>[0-9]+))? \+(?P<beginNew>[0-9]+)(,(?P<endNew>[0-9]+))? @@`)

 func isHeader(lof string) bool {
 	return strings.HasPrefix(lof, cmdDiffHead) || strings.HasPrefix(lof, "---") || strings.HasPrefix(lof, "+++")
@@ -311,21 +311,28 @@ func CutDiffAroundLine(originalDiff io.Reader, line int64, old bool, numbersOfLi
 			if len(hunk) > headerLines {
 				break
 			}
-			groups := hunkRegex.FindStringSubmatch(lof)
+			// A map with named groups of our regex to recognize them later more easily
+			submatches := hunkRegex.FindStringSubmatch(lof)
+			groups := make(map[string]string)
+			for i, name := range hunkRegex.SubexpNames() {
+				if i != 0 && name != "" {
+					groups[name] = submatches[i]
+				}
+			}
 			if old {
-				begin = com.StrTo(groups[1]).MustInt64()
-				end = com.StrTo(groups[2]).MustInt64()
+				begin = com.StrTo(groups["beginOld"]).MustInt64()
+				end = com.StrTo(groups["endOld"]).MustInt64()
 				// init otherLine with begin of opposite side
-				otherLine = com.StrTo(groups[3]).MustInt64()
+				otherLine = com.StrTo(groups["beginNew"]).MustInt64()
 			} else {
-				begin = com.StrTo(groups[3]).MustInt64()
-				if groups[5] != "" {
-					end = com.StrTo(groups[5]).MustInt64()
+				begin = com.StrTo(groups["beginNew"]).MustInt64()
+				if groups["endNew"] != "" {
+					end = com.StrTo(groups["endNew"]).MustInt64()
 				} else {
 					end = 0
 				}
 				// init otherLine with begin of opposite side
-				otherLine = com.StrTo(groups[1]).MustInt64()
+				otherLine = com.StrTo(groups["beginOld"]).MustInt64()
 			}
 			end += begin // end is for real only the number of lines in hunk
 			// lof is between begin and end
--- a/models/issue.go
+++ b/models/issue.go
@@ -86,6 +86,11 @@ func (issue *Issue) IsOverdue() bool {
 	return util.TimeStampNow() >= issue.DeadlineUnix
 }

+// LoadRepo loads issue's repository
+func (issue *Issue) LoadRepo() error {
+	return issue.loadRepo(x)
+}
+
 func (issue *Issue) loadRepo(e Engine) (err error) {
 	if issue.Repo == nil {
 		issue.Repo, err = getRepositoryByID(e, issue.RepoID)
@@ -112,6 +117,10 @@ func (issue *Issue) GetPullRequest() (pr *PullRequest, err error) {
 	}

 	pr, err = getPullRequestByIssueID(x, issue.ID)
+	if err != nil {
+		return nil, err
+	}
+	pr.Issue = issue
 	return
 }

@@ -125,6 +134,11 @@ func (issue *Issue) loadLabels(e Engine) (err error) {
 	return nil
 }

+// LoadPoster loads poster
+func (issue *Issue) LoadPoster() error {
+	return issue.loadPoster(x)
+}
+
 func (issue *Issue) loadPoster(e Engine) (err error) {
 	if issue.Poster == nil {
 		issue.Poster, err = getUserByID(e, issue.PosterID)
@@ -150,10 +164,16 @@ func (issue *Issue) loadPullRequest(e Engine) (err error) {
 			}
 			return fmt.Errorf("getPullRequestByIssueID [%d]: %v", issue.ID, err)
 		}
+		issue.PullRequest.Issue = issue
 	}
 	return nil
 }

+// LoadPullRequest loads pull request info
+func (issue *Issue) LoadPullRequest() error {
+	return issue.loadPullRequest(x)
+}
+
 func (issue *Issue) loadComments(e Engine) (err error) {
 	if issue.Comments != nil {
 		return nil
@@ -306,11 +326,18 @@ func (issue *Issue) State() api.StateType {
 // Required - Poster, Labels,
 // Optional - Milestone, Assignee, PullRequest
 func (issue *Issue) APIFormat() *api.Issue {
+	return issue.apiFormat(x)
+}
+
+func (issue *Issue) apiFormat(e Engine) *api.Issue {
+	issue.loadLabels(e)
 	apiLabels := make([]*api.Label, len(issue.Labels))
 	for i := range issue.Labels {
 		apiLabels[i] = issue.Labels[i].APIFormat()
 	}

+	issue.loadPoster(e)
+	issue.loadRepo(e)
 	apiIssue := &api.Issue{
 		ID:       issue.ID,
 		URL:      issue.APIURL(),
@@ -325,9 +352,15 @@ func (issue *Issue) APIFormat() *api.Issue {
 		Updated:  issue.UpdatedUnix.AsTime(),
 	}

+	if issue.ClosedUnix != 0 {
+		apiIssue.Closed = issue.ClosedUnix.AsTimePtr()
+	}
+
 	if issue.Milestone != nil {
 		apiIssue.Milestone = issue.Milestone.APIFormat()
 	}
+	issue.loadAssignees(e)
+
 	if len(issue.Assignees) > 0 {
 		for _, assignee := range issue.Assignees {
 			apiIssue.Assignees = append(apiIssue.Assignees, assignee.APIFormat())
@@ -335,6 +368,7 @@ func (issue *Issue) APIFormat() *api.Issue {
 		apiIssue.Assignee = issue.Assignees[0].APIFormat() // For compatibility, we're keeping the first assignee as `apiIssue.Assignee`
 	}
 	if issue.IsPull {
+		issue.loadPullRequest(e)
 		apiIssue.PullRequest = &api.PullRequestMeta{
 			HasMerged: issue.PullRequest.HasMerged,
 		}
@@ -381,7 +415,7 @@ func (issue *Issue) sendLabelUpdatedWebhook(doer *User) {
 		return
 	}

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if issue.IsPull {
 		if err = issue.loadPullRequest(x); err != nil {
 			log.Error(4, "loadPullRequest: %v", err)
@@ -464,9 +498,11 @@ func (issue *Issue) RemoveLabel(doer *User, label *Label) error {
 		return err
 	}

-	if has, err := HasAccess(doer.ID, issue.Repo, AccessModeWrite); err != nil {
+	perm, err := GetUserRepoPermission(issue.Repo, doer)
+	if err != nil {
 		return err
-	} else if !has {
+	}
+	if !perm.CanWriteIssuesOrPulls(issue.IsPull) {
 		return ErrLabelNotExist{}
 	}

@@ -507,9 +543,11 @@ func (issue *Issue) ClearLabels(doer *User) (err error) {
 		return err
 	}

-	if has, err := hasAccess(sess, doer.ID, issue.Repo, AccessModeWrite); err != nil {
+	perm, err := getUserRepoPermission(sess, issue.Repo, doer)
+	if err != nil {
 		return err
-	} else if !has {
+	}
+	if !perm.CanWriteIssuesOrPulls(issue.IsPull) {
 		return ErrLabelNotExist{}
 	}

@@ -525,7 +563,7 @@ func (issue *Issue) ClearLabels(doer *User) (err error) {
 		return fmt.Errorf("loadPoster: %v", err)
 	}

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if issue.IsPull {
 		err = issue.PullRequest.LoadIssue()
 		if err != nil {
@@ -644,16 +682,16 @@ func UpdateIssueCols(issue *Issue, cols ...string) error {
 	return updateIssueCols(x, issue, cols...)
 }

-func (issue *Issue) changeStatus(e *xorm.Session, doer *User, repo *Repository, isClosed bool) (err error) {
+func (issue *Issue) changeStatus(e *xorm.Session, doer *User, isClosed bool) (err error) {
 	// Nothing should be performed if current status is same as target status
 	if issue.IsClosed == isClosed {
 		return nil
 	}

 	// Check for open dependencies
-	if isClosed && issue.Repo.IsDependenciesEnabled() {
+	if isClosed && issue.Repo.isDependenciesEnabled(e) {
 		// only check if dependencies are enabled and we're about to close an issue, otherwise reopening an issue would fail when there are unsatisfied dependencies
-		noDeps, err := IssueNoDependenciesLeft(issue)
+		noDeps, err := issueNoDependenciesLeft(e, issue)
 		if err != nil {
 			return err
 		}
@@ -695,7 +733,7 @@ func (issue *Issue) changeStatus(e *xorm.Session, doer *User, repo *Repository,
 	}

 	// New action comment
-	if _, err = createStatusComment(e, doer, repo, issue); err != nil {
+	if _, err = createStatusComment(e, doer, issue); err != nil {
 		return err
 	}

@@ -703,29 +741,39 @@ func (issue *Issue) changeStatus(e *xorm.Session, doer *User, repo *Repository,
 }

 // ChangeStatus changes issue status to open or closed.
-func (issue *Issue) ChangeStatus(doer *User, repo *Repository, isClosed bool) (err error) {
+func (issue *Issue) ChangeStatus(doer *User, isClosed bool) (err error) {
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return err
 	}

-	if err = issue.changeStatus(sess, doer, repo, isClosed); err != nil {
+	if err = issue.loadRepo(sess); err != nil {
+		return err
+	}
+	if err = issue.loadPoster(sess); err != nil {
+		return err
+	}
+
+	if err = issue.changeStatus(sess, doer, isClosed); err != nil {
 		return err
 	}

 	if err = sess.Commit(); err != nil {
 		return fmt.Errorf("Commit: %v", err)
 	}
+	sess.Close()

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if issue.IsPull {
+		if err = issue.loadPullRequest(sess); err != nil {
+			return err
+		}
 		// Merge pull request calls issue.changeStatus so we need to handle separately.
-		issue.PullRequest.Issue = issue
 		apiPullRequest := &api.PullRequestPayload{
 			Index:       issue.Index,
 			PullRequest: issue.PullRequest.APIFormat(),
-			Repository:  repo.APIFormat(mode),
+			Repository:  issue.Repo.APIFormat(mode),
 			Sender:      doer.APIFormat(),
 		}
 		if isClosed {
@@ -733,12 +781,12 @@ func (issue *Issue) ChangeStatus(doer *User, repo *Repository, isClosed bool) (e
 		} else {
 			apiPullRequest.Action = api.HookIssueReOpened
 		}
-		err = PrepareWebhooks(repo, HookEventPullRequest, apiPullRequest)
+		err = PrepareWebhooks(issue.Repo, HookEventPullRequest, apiPullRequest)
 	} else {
 		apiIssue := &api.IssuePayload{
 			Index:      issue.Index,
 			Issue:      issue.APIFormat(),
-			Repository: repo.APIFormat(mode),
+			Repository: issue.Repo.APIFormat(mode),
 			Sender:     doer.APIFormat(),
 		}
 		if isClosed {
@@ -746,12 +794,12 @@ func (issue *Issue) ChangeStatus(doer *User, repo *Repository, isClosed bool) (e
 		} else {
 			apiIssue.Action = api.HookIssueReOpened
 		}
-		err = PrepareWebhooks(repo, HookEventIssues, apiIssue)
+		err = PrepareWebhooks(issue.Repo, HookEventIssues, apiIssue)
 	}
 	if err != nil {
 		log.Error(4, "PrepareWebhooks [is_pull: %v, is_closed: %v]: %v", issue.IsPull, isClosed, err)
 	} else {
-		go HookQueue.Add(repo.ID)
+		go HookQueue.Add(issue.Repo.ID)
 	}

 	return nil
@@ -772,6 +820,10 @@ func (issue *Issue) ChangeTitle(doer *User, title string) (err error) {
 		return fmt.Errorf("updateIssueCols: %v", err)
 	}

+	if err = issue.loadRepo(sess); err != nil {
+		return fmt.Errorf("loadRepo: %v", err)
+	}
+
 	if _, err = createChangeTitleComment(sess, doer, issue.Repo, issue, oldTitle, title); err != nil {
 		return fmt.Errorf("createChangeTitleComment: %v", err)
 	}
@@ -780,8 +832,11 @@ func (issue *Issue) ChangeTitle(doer *User, title string) (err error) {
 		return err
 	}

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if issue.IsPull {
+		if err = issue.loadPullRequest(sess); err != nil {
+			return fmt.Errorf("loadPullRequest: %v", err)
+		}
 		issue.PullRequest.Issue = issue
 		err = PrepareWebhooks(issue.Repo, HookEventPullRequest, &api.PullRequestPayload{
 			Action: api.HookIssueEdited,
@@ -846,7 +901,7 @@ func (issue *Issue) ChangeContent(doer *User, content string) (err error) {
 		return fmt.Errorf("UpdateIssueCols: %v", err)
 	}

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if issue.IsPull {
 		issue.PullRequest.Issue = issue
 		err = PrepareWebhooks(issue.Repo, HookEventPullRequest, &api.PullRequestPayload{
@@ -941,9 +996,13 @@ func newIssue(e *xorm.Session, doer *User, opts NewIssueOptions) (err error) {
 	// Check for and validate assignees
 	if len(opts.AssigneeIDs) > 0 {
 		for _, assigneeID := range opts.AssigneeIDs {
-			valid, err := hasAccess(e, assigneeID, opts.Repo, AccessModeWrite)
+			user, err := getUserByID(e, assigneeID)
 			if err != nil {
-				return fmt.Errorf("hasAccess [user_id: %d, repo_id: %d]: %v", assigneeID, opts.Repo.ID, err)
+				return fmt.Errorf("getUserByID [user_id: %d, repo_id: %d]: %v", assigneeID, opts.Repo.ID, err)
+			}
+			valid, err := canBeAssigned(e, user, opts.Repo)
+			if err != nil {
+				return fmt.Errorf("canBeAssigned [user_id: %d, repo_id: %d]: %v", assigneeID, opts.Repo.ID, err)
 			}
 			if !valid {
 				return ErrUserDoesNotHaveAccessToRepo{UserID: assigneeID, RepoName: opts.Repo.Name}
@@ -1066,7 +1125,7 @@ func NewIssue(repo *Repository, issue *Issue, labelIDs []int64, assigneeIDs []in
 		log.Error(4, "MailParticipants: %v", err)
 	}

-	mode, _ := AccessLevel(issue.Poster.ID, issue.Repo)
+	mode, _ := AccessLevel(issue.Poster, issue.Repo)
 	if err = PrepareWebhooks(repo, HookEventIssues, &api.IssuePayload{
 		Action:     api.HookIssueOpened,
 		Index:      issue.Index,
@@ -1082,8 +1141,8 @@ func NewIssue(repo *Repository, issue *Issue, labelIDs []int64, assigneeIDs []in
 	return nil
 }

-// GetRawIssueByIndex returns raw issue without loading attributes by index in a repository.
-func GetRawIssueByIndex(repoID, index int64) (*Issue, error) {
+// GetIssueByIndex returns raw issue without loading attributes by index in a repository.
+func GetIssueByIndex(repoID, index int64) (*Issue, error) {
 	issue := &Issue{
 		RepoID: repoID,
 		Index:  index,
@@ -1097,9 +1156,9 @@ func GetRawIssueByIndex(repoID, index int64) (*Issue, error) {
 	return issue, nil
 }

-// GetIssueByIndex returns issue by index in a repository.
-func GetIssueByIndex(repoID, index int64) (*Issue, error) {
-	issue, err := GetRawIssueByIndex(repoID, index)
+// GetIssueWithAttrsByIndex returns issue by index in a repository.
+func GetIssueWithAttrsByIndex(repoID, index int64) (*Issue, error) {
+	issue, err := GetIssueByIndex(repoID, index)
 	if err != nil {
 		return nil, err
 	}
@@ -1114,7 +1173,16 @@ func getIssueByID(e Engine, id int64) (*Issue, error) {
 	} else if !has {
 		return nil, ErrIssueNotExist{id, 0, 0}
 	}
-	return issue, issue.loadAttributes(e)
+	return issue, nil
+}
+
+// GetIssueWithAttrsByID returns an issue with attributes by given ID.
+func GetIssueWithAttrsByID(id int64) (*Issue, error) {
+	issue, err := getIssueByID(x, id)
+	if err != nil {
+		return nil, err
+	}
+	return issue, issue.loadAttributes(x)
 }

 // GetIssueByID returns an issue by given ID.
@@ -1334,7 +1402,7 @@ func UpdateIssueMentions(e Engine, issueID int64, mentions []string) error {
 		}

 		memberIDs := make([]int64, 0, user.NumMembers)
-		orgUsers, err := GetOrgUsersByOrgID(user.ID)
+		orgUsers, err := getOrgUsersByOrgID(e, user.ID)
 		if err != nil {
 			return fmt.Errorf("GetOrgUsersByOrgID [%d]: %v", user.ID, err)
 		}
@@ -1388,7 +1456,7 @@ type IssueStatsOptions struct {
 	AssigneeID  int64
 	MentionedID int64
 	PosterID    int64
-	IsPull      bool
+	IsPull      util.OptionalBool
 	IssueIDs    []int64
 }

@@ -1398,8 +1466,7 @@ func GetIssueStats(opts *IssueStatsOptions) (*IssueStats, error) {

 	countSession := func(opts *IssueStatsOptions) *xorm.Session {
 		sess := x.
-			Where("issue.repo_id = ?", opts.RepoID).
-			And("issue.is_pull = ?", opts.IsPull)
+			Where("issue.repo_id = ?", opts.RepoID)

 		if len(opts.IssueIDs) > 0 {
 			sess.In("issue.id", opts.IssueIDs)
@@ -1434,6 +1501,13 @@ func GetIssueStats(opts *IssueStatsOptions) (*IssueStats, error) {
 				And("issue_user.is_mentioned = ?", true)
 		}

+		switch opts.IsPull {
+		case util.OptionalBoolTrue:
+			sess.And("issue.is_pull=?", true)
+		case util.OptionalBoolFalse:
+			sess.And("issue.is_pull=?", false)
+		}
+
 		return sess
 	}

--- a/models/issue_assignees.go
+++ b/models/issue_assignees.go
@@ -44,7 +44,11 @@ func (issue *Issue) loadAssignees(e Engine) (err error) {

 // GetAssigneesByIssue returns everyone assigned to that issue
 func GetAssigneesByIssue(issue *Issue) (assignees []*User, err error) {
-	err = issue.loadAssignees(x)
+	return getAssigneesByIssue(x, issue)
+}
+
+func getAssigneesByIssue(e Engine, issue *Issue) (assignees []*User, err error) {
+	err = issue.loadAssignees(e)
 	if err != nil {
 		return assignees, err
 	}
@@ -159,20 +163,22 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
 		return fmt.Errorf("createAssigneeComment: %v", err)
 	}

-	mode, _ := accessLevel(sess, doer.ID, issue.Repo)
+	// if pull request is in the middle of creation - don't call webhook
+	if isCreate {
+		return nil
+	}
+
 	if issue.IsPull {
-		// if pull request is in the middle of creation - don't call webhook
-		if isCreate {
-			return nil
-		}
+		mode, _ := accessLevelUnit(sess, doer, issue.Repo, UnitTypePullRequests)
+
 		if err = issue.loadPullRequest(sess); err != nil {
 			return fmt.Errorf("loadPullRequest: %v", err)
 		}
 		issue.PullRequest.Issue = issue
 		apiPullRequest := &api.PullRequestPayload{
 			Index:       issue.Index,
-			PullRequest: issue.PullRequest.APIFormat(),
-			Repository:  issue.Repo.APIFormat(mode),
+			PullRequest: issue.PullRequest.apiFormat(sess),
+			Repository:  issue.Repo.innerAPIFormat(sess, mode, false),
 			Sender:      doer.APIFormat(),
 		}
 		if removed {
@@ -185,10 +191,12 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
 			return nil
 		}
 	} else {
+		mode, _ := accessLevelUnit(sess, doer, issue.Repo, UnitTypeIssues)
+
 		apiIssue := &api.IssuePayload{
 			Index:      issue.Index,
-			Issue:      issue.APIFormat(),
-			Repository: issue.Repo.APIFormat(mode),
+			Issue:      issue.apiFormat(sess),
+			Repository: issue.Repo.innerAPIFormat(sess, mode, false),
 			Sender:     doer.APIFormat(),
 		}
 		if removed {
--- a/models/issue_assignees_test.go
+++ b/models/issue_assignees_test.go
@@ -14,7 +14,7 @@ func TestUpdateAssignee(t *testing.T) {
 	assert.NoError(t, PrepareTestDatabase())

 	// Fake issue with assignees
-	issue, err := GetIssueByID(1)
+	issue, err := GetIssueWithAttrsByID(1)
 	assert.NoError(t, err)

 	// Assign multiple users
--- a/models/issue_comment.go
+++ b/models/issue_comment.go
@@ -150,25 +150,6 @@ func (c *Comment) LoadIssue() (err error) {
 	return
 }

-// AfterLoad is invoked from XORM after setting the values of all fields of this object.
-func (c *Comment) AfterLoad(session *xorm.Session) {
-	var err error
-	c.Attachments, err = getAttachmentsByCommentID(session, c.ID)
-	if err != nil {
-		log.Error(3, "getAttachmentsByCommentID[%d]: %v", c.ID, err)
-	}
-
-	c.Poster, err = getUserByID(session, c.PosterID)
-	if err != nil {
-		if IsErrUserNotExist(err) {
-			c.PosterID = -1
-			c.Poster = NewGhostUser()
-		} else {
-			log.Error(3, "getUserByID[%d]: %v", c.ID, err)
-		}
-	}
-}
-
 // AfterDelete is invoked from XORM after the object is deleted.
 func (c *Comment) AfterDelete() {
 	if c.ID <= 0 {
@@ -189,6 +170,11 @@ func (c *Comment) HTMLURL() string {
 		log.Error(4, "LoadIssue(%d): %v", c.IssueID, err)
 		return ""
 	}
+	err = c.Issue.loadRepo(x)
+	if err != nil { // Silently dropping errors :unamused:
+		log.Error(4, "loadRepo(%d): %v", c.Issue.RepoID, err)
+		return ""
+	}
 	if c.Type == CommentTypeCode {
 		if c.ReviewID == 0 {
 			return fmt.Sprintf("%s/files#%s", c.Issue.HTMLURL(), c.HashTag())
@@ -217,6 +203,12 @@ func (c *Comment) IssueURL() string {
 	if c.Issue.IsPull {
 		return ""
 	}
+
+	err = c.Issue.loadRepo(x)
+	if err != nil { // Silently dropping errors :unamused:
+		log.Error(4, "loadRepo(%d): %v", c.Issue.RepoID, err)
+		return ""
+	}
 	return c.Issue.HTMLURL()
 }

@@ -228,6 +220,12 @@ func (c *Comment) PRURL() string {
 		return ""
 	}

+	err = c.Issue.loadRepo(x)
+	if err != nil { // Silently dropping errors :unamused:
+		log.Error(4, "loadRepo(%d): %v", c.Issue.RepoID, err)
+		return ""
+	}
+
 	if !c.Issue.IsPull {
 		return ""
 	}
@@ -303,6 +301,39 @@ func (c *Comment) LoadMilestone() error {
 	return nil
 }

+// LoadPoster loads comment poster
+func (c *Comment) LoadPoster() error {
+	if c.PosterID <= 0 || c.Poster != nil {
+		return nil
+	}
+
+	var err error
+	c.Poster, err = getUserByID(x, c.PosterID)
+	if err != nil {
+		if IsErrUserNotExist(err) {
+			c.PosterID = -1
+			c.Poster = NewGhostUser()
+		} else {
+			log.Error(3, "getUserByID[%d]: %v", c.ID, err)
+		}
+	}
+	return nil
+}
+
+// LoadAttachments loads attachments
+func (c *Comment) LoadAttachments() error {
+	if len(c.Attachments) > 0 {
+		return nil
+	}
+
+	var err error
+	c.Attachments, err = getAttachmentsByCommentID(x, c.ID)
+	if err != nil {
+		log.Error(3, "getAttachmentsByCommentID[%d]: %v", c.ID, err)
+	}
+	return nil
+}
+
 // LoadAssigneeUser if comment.Type is CommentTypeAssignees, then load assignees
 func (c *Comment) LoadAssigneeUser() error {
 	var err error
@@ -375,8 +406,10 @@ func (c *Comment) LoadReactions() error {
 }

 func (c *Comment) loadReview(e Engine) (err error) {
-	if c.Review, err = getReviewByID(e, c.ReviewID); err != nil {
-		return err
+	if c.Review == nil {
+		if c.Review, err = getReviewByID(e, c.ReviewID); err != nil {
+			return err
+		}
 	}
 	return nil
 }
@@ -454,6 +487,11 @@ func (c *Comment) CodeCommentURL() string {
 		log.Error(4, "LoadIssue(%d): %v", c.IssueID, err)
 		return ""
 	}
+	err = c.Issue.loadRepo(x)
+	if err != nil { // Silently dropping errors :unamused:
+		log.Error(4, "loadRepo(%d): %v", c.Issue.RepoID, err)
+		return ""
+	}
 	return fmt.Sprintf("%s/files#%s", c.Issue.HTMLURL(), c.HashTag())
 }

@@ -601,7 +639,7 @@ func sendCreateCommentAction(e *xorm.Session, opts *CreateCommentOptions, commen
 	return nil
 }

-func createStatusComment(e *xorm.Session, doer *User, repo *Repository, issue *Issue) (*Comment, error) {
+func createStatusComment(e *xorm.Session, doer *User, issue *Issue) (*Comment, error) {
 	cmtType := CommentTypeClose
 	if !issue.IsClosed {
 		cmtType = CommentTypeReopen
@@ -609,7 +647,7 @@ func createStatusComment(e *xorm.Session, doer *User, repo *Repository, issue *I
 	return createComment(e, &CreateCommentOptions{
 		Type:  cmtType,
 		Doer:  doer,
-		Repo:  repo,
+		Repo:  issue.Repo,
 		Issue: issue,
 	})
 }
@@ -670,6 +708,10 @@ func createDeadlineComment(e *xorm.Session, doer *User, issue *Issue, newDeadlin
 		content = newDeadlineUnix.Format("2006-01-02") + "|" + issue.DeadlineUnix.Format("2006-01-02")
 	}

+	if err := issue.LoadRepo(); err != nil {
+		return nil, err
+	}
+
 	return createComment(e, &CreateCommentOptions{
 		Type:    commentType,
 		Doer:    doer,
@@ -706,6 +748,9 @@ func createIssueDependencyComment(e *xorm.Session, doer *User, issue *Issue, dep
 	if !add {
 		cType = CommentTypeRemoveDependency
 	}
+	if err = issue.loadRepo(e); err != nil {
+		return
+	}

 	// Make two comments, one in each issue
 	_, err = createComment(e, &CreateCommentOptions{
@@ -795,7 +840,7 @@ func CreateIssueComment(doer *User, repo *Repository, issue *Issue, content stri
 		return nil, fmt.Errorf("CreateComment: %v", err)
 	}

-	mode, _ := AccessLevel(doer.ID, repo)
+	mode, _ := AccessLevel(doer, repo)
 	if err = PrepareWebhooks(repo, HookEventIssueComment, &api.IssueCommentPayload{
 		Action:     api.HookIssueCommentCreated,
 		Issue:      issue.APIFormat(),
@@ -983,6 +1028,9 @@ func UpdateComment(doer *User, c *Comment, oldContent string) error {
 		UpdateIssueIndexer(c.IssueID)
 	}

+	if err := c.LoadPoster(); err != nil {
+		return err
+	}
 	if err := c.LoadIssue(); err != nil {
 		return err
 	}
@@ -990,7 +1038,7 @@ func UpdateComment(doer *User, c *Comment, oldContent string) error {
 		return err
 	}

-	mode, _ := AccessLevel(doer.ID, c.Issue.Repo)
+	mode, _ := AccessLevel(doer, c.Issue.Repo)
 	if err := PrepareWebhooks(c.Issue.Repo, HookEventIssueComment, &api.IssueCommentPayload{
 		Action:  api.HookIssueCommentEdited,
 		Issue:   c.Issue.APIFormat(),
@@ -1040,6 +1088,9 @@ func DeleteComment(doer *User, comment *Comment) error {
 		UpdateIssueIndexer(comment.IssueID)
 	}

+	if err := comment.LoadPoster(); err != nil {
+		return err
+	}
 	if err := comment.LoadIssue(); err != nil {
 		return err
 	}
@@ -1047,7 +1098,7 @@ func DeleteComment(doer *User, comment *Comment) error {
 		return err
 	}

-	mode, _ := AccessLevel(doer.ID, comment.Issue.Repo)
+	mode, _ := AccessLevel(doer, comment.Issue.Repo)

 	if err := PrepareWebhooks(comment.Issue.Repo, HookEventIssueComment, &api.IssueCommentPayload{
 		Action:     api.HookIssueCommentDeleted,
@@ -1095,6 +1146,10 @@ func fetchCodeCommentsByReview(e Engine, issue *Issue, currentUser *User, review
 		return nil, err
 	}

+	if err := CommentList(comments).loadPosters(e); err != nil {
+		return nil, err
+	}
+
 	if err := issue.loadRepo(e); err != nil {
 		return nil, err
 	}
--- a/models/issue_comment_list.go
+++ b/models/issue_comment_list.go
@@ -0,0 +1,58 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package models
+
+// CommentList defines a list of comments
+type CommentList []*Comment
+
+func (comments CommentList) getPosterIDs() []int64 {
+	commentIDs := make(map[int64]struct{}, len(comments))
+	for _, comment := range comments {
+		if _, ok := commentIDs[comment.PosterID]; !ok {
+			commentIDs[comment.PosterID] = struct{}{}
+		}
+	}
+	return keysInt64(commentIDs)
+}
+
+// LoadPosters loads posters from database
+func (comments CommentList) LoadPosters() error {
+	return comments.loadPosters(x)
+}
+
+func (comments CommentList) loadPosters(e Engine) error {
+	if len(comments) == 0 {
+		return nil
+	}
+
+	posterIDs := comments.getPosterIDs()
+	posterMaps := make(map[int64]*User, len(posterIDs))
+	var left = len(posterIDs)
+	for left > 0 {
+		var limit = defaultMaxInSize
+		if left < limit {
+			limit = left
+		}
+		err := e.
+			In("id", posterIDs[:limit]).
+			Find(&posterMaps)
+		if err != nil {
+			return err
+		}
+		left = left - limit
+		posterIDs = posterIDs[limit:]
+	}
+
+	for _, comment := range comments {
+		if comment.PosterID <= 0 {
+			continue
+		}
+		var ok bool
+		if comment.Poster, ok = posterMaps[comment.PosterID]; !ok {
+			comment.Poster = NewGhostUser()
+		}
+	}
+	return nil
+}
--- a/models/issue_dependency.go
+++ b/models/issue_dependency.go
@@ -113,8 +113,11 @@ func issueDepExists(e Engine, issueID int64, depID int64) (bool, error) {

 // IssueNoDependenciesLeft checks if issue can be closed
 func IssueNoDependenciesLeft(issue *Issue) (bool, error) {
+	return issueNoDependenciesLeft(x, issue)
+}

-	exists, err := x.
+func issueNoDependenciesLeft(e Engine, issue *Issue) (bool, error) {
+	exists, err := e.
 		Table("issue_dependency").
 		Select("issue.*").
 		Join("INNER", "issue", "issue.id = issue_dependency.dependency_id").
@@ -127,9 +130,13 @@ func IssueNoDependenciesLeft(issue *Issue) (bool, error) {

 // IsDependenciesEnabled returns if dependecies are enabled and returns the default setting if not set.
 func (repo *Repository) IsDependenciesEnabled() bool {
+	return repo.isDependenciesEnabled(x)
+}
+
+func (repo *Repository) isDependenciesEnabled(e Engine) bool {
 	var u *RepoUnit
 	var err error
-	if u, err = repo.GetUnit(UnitTypeIssues); err != nil {
+	if u, err = repo.getUnit(e, UnitTypeIssues); err != nil {
 		log.Trace("%s", err)
 		return setting.Service.DefaultEnableDependencies
 	}
--- a/models/issue_dependency_test.go
+++ b/models/issue_dependency_test.go
@@ -19,6 +19,7 @@ func TestCreateIssueDependency(t *testing.T) {

 	issue1, err := GetIssueByID(1)
 	assert.NoError(t, err)
+
 	issue2, err := GetIssueByID(2)
 	assert.NoError(t, err)

@@ -44,7 +45,7 @@ func TestCreateIssueDependency(t *testing.T) {
 	assert.False(t, left)

 	// Close #2 and check again
-	err = issue2.ChangeStatus(user1, issue2.Repo, true)
+	err = issue2.ChangeStatus(user1, true)
 	assert.NoError(t, err)

 	left, err = IssueNoDependenciesLeft(issue1)
--- a/models/issue_label.go
+++ b/models/issue_label.go
@@ -134,7 +134,7 @@ func NewLabels(labels ...*Label) error {
 // If pass repoID as 0, then ORM will ignore limitation of repository
 // and can return arbitrary label with any valid ID.
 func getLabelInRepoByName(e Engine, repoID int64, labelName string) (*Label, error) {
-	if len(labelName) <= 0 {
+	if len(labelName) == 0 {
 		return nil, ErrLabelNotExist{0, repoID}
 	}

--- a/models/issue_mail.go
+++ b/models/issue_mail.go
@@ -39,16 +39,16 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content

 	// In case the issue poster is not watching the repository and is active,
 	// even if we have duplicated in watchers, can be safely filtered out.
-	poster, err := GetUserByID(issue.PosterID)
+	err = issue.loadPoster(e)
 	if err != nil {
 		return fmt.Errorf("GetUserByID [%d]: %v", issue.PosterID, err)
 	}
-	if issue.PosterID != doer.ID && poster.IsActive && !poster.ProhibitLogin {
+	if issue.PosterID != doer.ID && issue.Poster.IsActive && !issue.Poster.ProhibitLogin {
 		participants = append(participants, issue.Poster)
 	}

 	// Assignees must receive any communications
-	assignees, err := GetAssigneesByIssue(issue)
+	assignees, err := getAssigneesByIssue(e, issue)
 	if err != nil {
 		return err
 	}
@@ -88,6 +88,10 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content
 		names = append(names, participants[i].Name)
 	}

+	if err := issue.loadRepo(e); err != nil {
+		return err
+	}
+
 	for _, to := range tos {
 		SendIssueCommentMail(issue, doer, content, comment, []string{to})
 	}
--- a/models/issue_milestone.go
+++ b/models/issue_milestone.go
@@ -11,7 +11,6 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	api "code.gitea.io/sdk/gitea"
-
 	"github.com/go-xorm/xorm"
 )

@@ -123,6 +122,18 @@ func GetMilestoneByRepoID(repoID, id int64) (*Milestone, error) {
 	return getMilestoneByRepoID(x, repoID, id)
 }

+// GetMilestoneByID returns the milestone via id .
+func GetMilestoneByID(id int64) (*Milestone, error) {
+	var m Milestone
+	has, err := x.ID(id).Get(&m)
+	if err != nil {
+		return nil, err
+	} else if !has {
+		return nil, ErrMilestoneNotExist{id, 0}
+	}
+	return &m, nil
+}
+
 // MilestoneList is a list of milestones offering additional functionality
 type MilestoneList []*Milestone

@@ -178,10 +189,11 @@ func (milestones MilestoneList) getMilestoneIDs() []int64 {
 	return ids
 }

-// GetMilestonesByRepoID returns all milestones of a repository.
+// GetMilestonesByRepoID returns all opened milestones of a repository.
 func GetMilestonesByRepoID(repoID int64) (MilestoneList, error) {
 	miles := make([]*Milestone, 0, 10)
-	return miles, x.Where("repo_id = ?", repoID).Asc("deadline_unix").Find(&miles)
+	return miles, x.Where("repo_id = ? AND is_closed = ?", repoID, false).
+		Asc("deadline_unix").Asc("id").Find(&miles)
 }

 // GetMilestones returns a list of milestones of given repository and status.
@@ -377,7 +389,7 @@ func ChangeMilestoneAssign(issue *Issue, doer *User, oldMilestoneID int64) (err
 		return err
 	}

-	mode, _ := AccessLevel(doer.ID, issue.Repo)
+	mode, _ := AccessLevel(doer, issue.Repo)
 	if issue.IsPull {
 		err = issue.PullRequest.LoadIssue()
 		if err != nil {
--- a/models/issue_stopwatch.go
+++ b/models/issue_stopwatch.go
@@ -49,6 +49,10 @@ func CreateOrStopIssueStopwatch(user *User, issue *Issue) error {
 	if err != nil {
 		return err
 	}
+	if err := issue.loadRepo(x); err != nil {
+		return err
+	}
+
 	if exists {
 		// Create tracked time out of the time difference between start date and actual date
 		timediff := time.Now().Unix() - int64(sw.CreatedUnix)
@@ -112,6 +116,10 @@ func CancelStopwatch(user *User, issue *Issue) error {
 			return err
 		}

+		if err := issue.loadRepo(x); err != nil {
+			return err
+		}
+
 		if _, err := CreateComment(&CreateCommentOptions{
 			Doer:  user,
 			Issue: issue,
--- a/models/issue_tracked_time.go
+++ b/models/issue_tracked_time.go
@@ -90,6 +90,9 @@ func AddTime(user *User, issue *Issue, time int64) (*TrackedTime, error) {
 	if _, err := x.Insert(tt); err != nil {
 		return nil, err
 	}
+	if err := issue.loadRepo(x); err != nil {
+		return nil, err
+	}
 	if _, err := CreateComment(&CreateCommentOptions{
 		Issue:   issue,
 		Repo:    issue.Repo,
--- a/models/issue_user.go
+++ b/models/issue_user.go
@@ -54,7 +54,7 @@ func newIssueUsers(e Engine, repo *Repository, issue *Issue) error {
 func updateIssueAssignee(e *xorm.Session, issue *Issue, assigneeID int64) (removed bool, err error) {

 	// Check if the user exists
-	assignee, err := GetUserByID(assigneeID)
+	assignee, err := getUserByID(e, assigneeID)
 	if err != nil {
 		return false, err
 	}
--- a/models/lfs_lock.go
+++ b/models/lfs_lock.go
@@ -139,10 +139,11 @@ func CheckLFSAccessForRepo(u *User, repo *Repository, mode AccessMode) error {
 	if u == nil {
 		return ErrLFSUnauthorizedAction{repo.ID, "undefined", mode}
 	}
-	has, err := HasAccess(u.ID, repo, mode)
+	perm, err := GetUserRepoPermission(repo, u)
 	if err != nil {
 		return err
-	} else if !has {
+	}
+	if !perm.CanAccess(mode, UnitTypeCode) {
 		return ErrLFSUnauthorizedAction{repo.ID, u.DisplayName(), mode}
 	}
 	return nil
--- a/models/login_source.go
+++ b/models/login_source.go
@@ -393,7 +393,13 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoR
 		return nil, ErrUserNotExist{0, login, 0}
 	}

+	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(source.LDAP().AttributeSSHPublicKey)) > 0
+
 	if !autoRegister {
+		if isAttributeSSHPublicKeySet && synchronizeLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {
+			RewriteAllPublicKeys()
+		}
+
 		return user, nil
 	}

@@ -421,7 +427,14 @@ func LoginViaLDAP(user *User, login, password string, source *LoginSource, autoR
 		IsActive:    true,
 		IsAdmin:     sr.IsAdmin,
 	}
-	return user, CreateUser(user)
+
+	err := CreateUser(user)
+
+	if err == nil && isAttributeSSHPublicKeySet && addLdapSSHPublicKeys(user, source, sr.SSHPublicKey) {
+		RewriteAllPublicKeys()
+	}
+
+	return user, err
 }

 //   _________   __________________________
@@ -631,7 +644,7 @@ func UserSignIn(username, password string) (*User, error) {
 	if hasUser {
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
-			if user.ValidatePassword(password) {
+			if user.IsPasswordSet() && user.ValidatePassword(password) {
 				return user, nil
 			}

--- a/models/mail.go
+++ b/models/mail.go
@@ -151,6 +151,7 @@ func composeTplData(subject, body, link string) map[string]interface{} {

 func composeIssueCommentMessage(issue *Issue, doer *User, content string, comment *Comment, tplName base.TplName, tos []string, info string) *mailer.Message {
 	subject := issue.mailSubject()
+	issue.LoadRepo()
 	body := string(markup.RenderByType(markdown.MarkupName, []byte(content), issue.Repo.HTMLURL(), issue.Repo.ComposeMetas()))

 	data := make(map[string]interface{}, 10)
--- a/models/migrations/migrations.go
+++ b/models/migrations/migrations.go
@@ -200,6 +200,12 @@ var migrations = []Migration{
 	NewMigration("add review", addReview),
 	// v73 -> v74
 	NewMigration("add must_change_password column for users table", addMustChangePassword),
+	// v74 -> v75
+	NewMigration("add approval whitelists to protected branches", addApprovalWhitelistsToProtectedBranches),
+	// v75 -> v76
+	NewMigration("clear nonused data which not deleted when user was deleted", clearNonusedData),
+	// v76 -> v77
+	NewMigration("add pull request rebase with merge commit", addPullRequestRebaseWithMerge),
 }

 // Migrate database to current version
--- a/models/migrations/v64.go
+++ b/models/migrations/v64.go
@@ -26,7 +26,6 @@ func addMultipleAssignees(x *xorm.Engine) error {
 		IsClosed    bool  `xorm:"INDEX"`
 		IsPull      bool  `xorm:"INDEX"` // Indicates whether is a pull request or not.
 		NumComments int
-		Ref         string

 		DeadlineUnix util.TimeStamp `xorm:"INDEX"`
 		CreatedUnix  util.TimeStamp `xorm:"INDEX created"`
--- a/models/migrations/v67.go
+++ b/models/migrations/v67.go
@@ -5,6 +5,8 @@
 package migrations

 import (
+	"fmt"
+
 	"code.gitea.io/gitea/modules/setting"

 	"github.com/go-xorm/xorm"
@@ -70,6 +72,13 @@ func removeStaleWatches(x *xorm.Engine) error {
 		return err
 	}

+	var issueWatch IssueWatch
+	if exist, err := sess.IsTableExist(&issueWatch); err != nil {
+		return fmt.Errorf("IsExist IssueWatch: %v", err)
+	} else if !exist {
+		return nil
+	}
+
 	repoCache := make(map[int64]*Repository)
 	err := x.BufferSize(setting.IterateBufferSize).Iterate(new(Watch),
 		func(idx int, bean interface{}) error {
--- a/models/migrations/v68.go
+++ b/models/migrations/v68.go
@@ -25,7 +25,7 @@ func reformatAndRemoveIncorrectTopics(x *xorm.Engine) (err error) {

 	type Topic struct {
 		ID          int64
-		Name        string `xorm:"UNIQUE"`
+		Name        string `xorm:"UNIQUE VARCHAR(25)"`
 		RepoCount   int
 		CreatedUnix int64 `xorm:"INDEX created"`
 		UpdatedUnix int64 `xorm:"INDEX updated"`
@@ -205,9 +205,6 @@ func reformatAndRemoveIncorrectTopics(x *xorm.Engine) (err error) {
 			return err
 		}
 	}
-	if err := sess.Commit(); err != nil {
-		return err
-	}

-	return nil
+	return sess.Commit()
 }
--- a/models/migrations/v71.go
+++ b/models/migrations/v71.go
@@ -44,7 +44,7 @@ func addScratchHash(x *xorm.Engine) error {
 	const batchSize = 100
 	for start := 0; ; start += batchSize {
 		tfas := make([]*TwoFactor, 0, batchSize)
-		if err := x.Limit(batchSize, start).Find(&tfas); err != nil {
+		if err := sess.Limit(batchSize, start).Find(&tfas); err != nil {
 			return err
 		}
 		if len(tfas) == 0 {
--- a/models/migrations/v74.go
+++ b/models/migrations/v74.go
@@ -0,0 +1,16 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import "github.com/go-xorm/xorm"
+
+func addApprovalWhitelistsToProtectedBranches(x *xorm.Engine) error {
+	type ProtectedBranch struct {
+		ApprovalsWhitelistUserIDs []int64 `xorm:"JSON TEXT"`
+		ApprovalsWhitelistTeamIDs []int64 `xorm:"JSON TEXT"`
+		RequiredApprovals         int64   `xorm:"NOT NULL DEFAULT 0"`
+	}
+	return x.Sync2(new(ProtectedBranch))
+}
--- a/models/migrations/v75.go
+++ b/models/migrations/v75.go
@@ -0,0 +1,33 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"github.com/go-xorm/builder"
+	"github.com/go-xorm/xorm"
+)
+
+func clearNonusedData(x *xorm.Engine) error {
+	condDelete := func(colName string) builder.Cond {
+		return builder.NotIn(colName, builder.Select("id").From("`user`"))
+	}
+
+	if _, err := x.Exec(builder.Delete(condDelete("uid")).From("team_user")); err != nil {
+		return err
+	}
+
+	if _, err := x.Exec(builder.Delete(condDelete("user_id")).From("collaboration")); err != nil {
+		return err
+	}
+
+	if _, err := x.Exec(builder.Delete(condDelete("user_id")).From("stopwatch")); err != nil {
+		return err
+	}
+
+	if _, err := x.Exec(builder.Delete(condDelete("owner_id")).From("gpg_key")); err != nil {
+		return err
+	}
+	return nil
+}
--- a/models/migrations/v76.go
+++ b/models/migrations/v76.go
@@ -0,0 +1,63 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package migrations
+
+import (
+	"fmt"
+
+	"code.gitea.io/gitea/modules/util"
+
+	"github.com/go-xorm/xorm"
+)
+
+func addPullRequestRebaseWithMerge(x *xorm.Engine) error {
+	// RepoUnit describes all units of a repository
+	type RepoUnit struct {
+		ID          int64
+		RepoID      int64                  `xorm:"INDEX(s)"`
+		Type        int                    `xorm:"INDEX(s)"`
+		Config      map[string]interface{} `xorm:"JSON"`
+		CreatedUnix util.TimeStamp         `xorm:"INDEX CREATED"`
+	}
+
+	sess := x.NewSession()
+	defer sess.Close()
+	if err := sess.Begin(); err != nil {
+		return err
+	}
+
+	//Updating existing issue units
+	units := make([]*RepoUnit, 0, 100)
+	if err := sess.Where("`type` = ?", V16UnitTypePRs).Find(&units); err != nil {
+		return fmt.Errorf("Query repo units: %v", err)
+	}
+	for _, unit := range units {
+		if unit.Config == nil {
+			unit.Config = make(map[string]interface{})
+		}
+		// Allow the new merge style if all other merge styles are allowed
+		allowMergeRebase := true
+
+		if allowMerge, ok := unit.Config["AllowMerge"]; ok {
+			allowMergeRebase = allowMergeRebase && allowMerge.(bool)
+		}
+
+		if allowRebase, ok := unit.Config["AllowRebase"]; ok {
+			allowMergeRebase = allowMergeRebase && allowRebase.(bool)
+		}
+
+		if allowSquash, ok := unit.Config["AllowSquash"]; ok {
+			allowMergeRebase = allowMergeRebase && allowSquash.(bool)
+		}
+
+		if _, ok := unit.Config["AllowRebaseMerge"]; !ok {
+			unit.Config["AllowRebaseMerge"] = allowMergeRebase
+		}
+		if _, err := sess.ID(unit.ID).Cols("config").Update(unit); err != nil {
+			return err
+		}
+	}
+	return sess.Commit()
+}
--- a/models/models.go
+++ b/models/models.go
@@ -36,7 +36,7 @@ type Engine interface {
 	Count(...interface{}) (int64, error)
 	Decr(column string, arg ...interface{}) *xorm.Session
 	Delete(interface{}) (int64, error)
-	Exec(string, ...interface{}) (sql.Result, error)
+	Exec(...interface{}) (sql.Result, error)
 	Find(interface{}, ...interface{}) error
 	Get(interface{}) (bool, error)
 	ID(interface{}) *xorm.Session
@@ -200,7 +200,8 @@ func getPostgreSQLConnectionString(DBHost, DBUser, DBPasswd, DBName, DBParam, DB
 	return
 }

-func parseMSSQLHostPort(info string) (string, string) {
+// ParseMSSQLHostPort splits the host into host and port
+func ParseMSSQLHostPort(info string) (string, string) {
 	host, port := "127.0.0.1", "1433"
 	if strings.Contains(info, ":") {
 		host = strings.Split(info, ":")[0]
@@ -235,7 +236,7 @@ func getEngine() (*xorm.Engine, error) {
 	case "postgres":
 		connStr = getPostgreSQLConnectionString(DbCfg.Host, DbCfg.User, DbCfg.Passwd, DbCfg.Name, Param, DbCfg.SSLMode)
 	case "mssql":
-		host, port := parseMSSQLHostPort(DbCfg.Host)
+		host, port := ParseMSSQLHostPort(DbCfg.Host)
 		connStr = fmt.Sprintf("server=%s; port=%s; database=%s; user id=%s; password=%s;", host, port, DbCfg.Name, DbCfg.User, DbCfg.Passwd)
 	case "sqlite3":
 		if !EnableSQLite3 {
--- a/models/notification.go
+++ b/models/notification.go
@@ -123,10 +123,10 @@ func createOrUpdateIssueNotifications(e Engine, issue *Issue, notificationAuthor

 	for _, watch := range watches {
 		issue.Repo.Units = nil
-		if issue.IsPull && !issue.Repo.CheckUnitUser(watch.UserID, false, UnitTypePullRequests) {
+		if issue.IsPull && !issue.Repo.checkUnitUser(e, watch.UserID, false, UnitTypePullRequests) {
 			continue
 		}
-		if !issue.IsPull && !issue.Repo.CheckUnitUser(watch.UserID, false, UnitTypeIssues) {
+		if !issue.IsPull && !issue.Repo.checkUnitUser(e, watch.UserID, false, UnitTypeIssues) {
 			continue
 		}

--- a/models/org.go
+++ b/models/org.go
@@ -393,8 +393,12 @@ func GetOrgUsersByUserID(uid int64, all bool) ([]*OrgUser, error) {

 // GetOrgUsersByOrgID returns all organization-user relations by organization ID.
 func GetOrgUsersByOrgID(orgID int64) ([]*OrgUser, error) {
+	return getOrgUsersByOrgID(x, orgID)
+}
+
+func getOrgUsersByOrgID(e Engine, orgID int64) ([]*OrgUser, error) {
 	ous := make([]*OrgUser, 0, 10)
-	err := x.
+	err := e.
 		Where("org_id=?", orgID).
 		Find(&ous)
 	return ous, err
@@ -460,21 +464,21 @@ func removeOrgUser(sess *xorm.Session, orgID, userID int64) error {
 		return nil
 	}

-	org, err := GetUserByID(orgID)
+	org, err := getUserByID(sess, orgID)
 	if err != nil {
 		return fmt.Errorf("GetUserByID [%d]: %v", orgID, err)
 	}

 	// Check if the user to delete is the last member in owner team.
-	if isOwner, err := IsOrganizationOwner(orgID, userID); err != nil {
+	if isOwner, err := isOrganizationOwner(sess, orgID, userID); err != nil {
 		return err
 	} else if isOwner {
-		t, err := org.GetOwnerTeam()
+		t, err := org.getOwnerTeam(sess)
 		if err != nil {
 			return err
 		}
 		if t.NumMembers == 1 {
-			if err := t.GetMembers(); err != nil {
+			if err := t.getMembers(sess); err != nil {
 				return err
 			}
 			if t.Members[0].ID == userID {
@@ -490,7 +494,7 @@ func removeOrgUser(sess *xorm.Session, orgID, userID int64) error {
 	}

 	// Delete all repository accesses and unwatch them.
-	env, err := org.AccessibleReposEnv(userID)
+	env, err := org.accessibleReposEnv(sess, userID)
 	if err != nil {
 		return fmt.Errorf("AccessibleReposEnv: %v", err)
 	}
@@ -618,16 +622,26 @@ type accessibleReposEnv struct {
 	org     *User
 	userID  int64
 	teamIDs []int64
+	e       Engine
 }

 // AccessibleReposEnv an AccessibleReposEnvironment for the repositories in `org`
 // that are accessible to the specified user.
 func (org *User) AccessibleReposEnv(userID int64) (AccessibleReposEnvironment, error) {
-	teamIDs, err := org.GetUserTeamIDs(userID)
+	return org.accessibleReposEnv(x, userID)
+}
+
+func (org *User) accessibleReposEnv(e Engine, userID int64) (AccessibleReposEnvironment, error) {
+	teamIDs, err := org.getUserTeamIDs(e, userID)
 	if err != nil {
 		return nil, err
 	}
-	return &accessibleReposEnv{org: org, userID: userID, teamIDs: teamIDs}, nil
+	return &accessibleReposEnv{
+		org:     org,
+		userID:  userID,
+		teamIDs: teamIDs,
+		e:       e,
+	}, nil
 }

 func (env *accessibleReposEnv) cond() builder.Cond {
@@ -642,7 +656,7 @@ func (env *accessibleReposEnv) cond() builder.Cond {
 }

 func (env *accessibleReposEnv) CountRepos() (int64, error) {
-	repoCount, err := x.
+	repoCount, err := env.e.
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id").
 		Where(env.cond()).
 		Distinct("`repository`.id").
@@ -659,7 +673,7 @@ func (env *accessibleReposEnv) RepoIDs(page, pageSize int) ([]int64, error) {
 	}

 	repoIDs := make([]int64, 0, pageSize)
-	return repoIDs, x.
+	return repoIDs, env.e.
 		Table("repository").
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id").
 		Where(env.cond()).
@@ -677,18 +691,18 @@ func (env *accessibleReposEnv) Repos(page, pageSize int) ([]*Repository, error)
 	}

 	repos := make([]*Repository, 0, len(repoIDs))
-	if len(repoIDs) <= 0 {
+	if len(repoIDs) == 0 {
 		return repos, nil
 	}

-	return repos, x.
+	return repos, env.e.
 		In("`repository`.id", repoIDs).
 		Find(&repos)
 }

 func (env *accessibleReposEnv) MirrorRepoIDs() ([]int64, error) {
 	repoIDs := make([]int64, 0, 10)
-	return repoIDs, x.
+	return repoIDs, env.e.
 		Table("repository").
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id AND `repository`.is_mirror=?", true).
 		Where(env.cond()).
@@ -705,11 +719,11 @@ func (env *accessibleReposEnv) MirrorRepos() ([]*Repository, error) {
 	}

 	repos := make([]*Repository, 0, len(repoIDs))
-	if len(repoIDs) <= 0 {
+	if len(repoIDs) == 0 {
 		return repos, nil
 	}

-	return repos, x.
+	return repos, env.e.
 		In("`repository`.id", repoIDs).
 		Find(&repos)
 }
--- a/Show More
+++ b/Show More