Add changelog for v1.16.8 (#19724 )

* Add changelog for v1.16.8 Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Fix issue overview for teams (#19652 ) (#19653 )
2026-02-08 00:50:53 +00:00 · 2022-05-16 19:27:23 +02:00 · 2022-05-16 17:48:16 +08:00 · 2022-05-12 13:32:48 +02:00 · 2022-05-11 21:05:58 +08:00 · 2022-05-10 22:55:28 +02:00
77 changed files with 679 additions and 293 deletions
@@ -235,6 +235,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force
    when:
      event:
@@ -427,6 +428,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force
    when:
      event:
@@ -628,6 +630,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: deps-frontend
@@ -746,6 +749,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: deps-frontend
@@ -891,6 +895,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -954,6 +959,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -1016,6 +1022,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -1112,6 +1119,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -1175,6 +1183,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -1237,6 +1246,7 @@ steps:
    image: docker:git
    pull: always
    commands:
+      - git config --global --add safe.directory /drone/src
      - git fetch --tags --force

  - name: publish
@@ -4,6 +4,46 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

+## [1.16.8](https://github.com/go-gitea/gitea/releases/tag/v1.16.8) - 2022-05-16
+
+* ENHANCEMENTS
+  * Add doctor check/fix for bogus action rows (#19656) (#19669)
+  * Make .cs highlighting legible on dark themes. (#19604) (#19605)
+* BUGFIXES
+  * Fix oauth setting list bug (#19681)
+  * Delete user related oauth stuff on user deletion too (#19677) (#19680)
+  * Fix new release from tags list UI (#19670) (#19673)
+  * Prevent NPE when checking repo units if the user is nil (#19625) (#19630)
+  * GetFeeds must always discard actions with dangling repo_id (#19598) (#19629)
+  * Call MultipartForm.RemoveAll when request finishes (#19606) (#19607)
+  * Avoid MoreThanOne error when creating a branch whose name conflicts with other ref names (#19557) (#19591)
+  * Fix sending empty notifications (#19589) (#19590)
+  * Ignore DNS error when doing migration allow/block check (#19566) (#19567)
+  * Fix issue overview for teams (#19652) (#19653)
+
+## [1.16.7](https://github.com/go-gitea/gitea/releases/tag/v1.16.7) - 2022-05-02
+
+* SECURITY
+  * Escape git fetch remote (#19487) (#19490)
+* BUGFIXES
+  * Don't overwrite err with nil (#19572) (#19574)
+  * On Migrations, only write commit-graph if wiki clone was successful (#19563) (#19568)
+  * Respect DefaultUserIsRestricted system default when creating new user (#19310) (#19560)
+  * Don't error when branch's commit doesn't exist (#19547) (#19548)
+  * Support `hostname:port` to pass host matcher's check (#19543) (#19544)
+  * Prevent intermittent race in attribute reader close (#19537) (#19539)
+  * Fix 64-bit atomic operations on 32-bit machines (#19531) (#19532)
+  * Prevent dangling archiver goroutine (#19516) (#19526)
+  * Fix migrate release from github (#19510) (#19523)
+  * When view _Siderbar or _Footer, just display once (#19501) (#19522)
+  * Fix blame page select range error and some typos (#19503)
+  * Fix name of doctor fix "authorized-keys" in hints (#19464) (#19484)
+  * User specific repoID or xorm builder conditions for issue search (#19475) (#19476)
+  * Prevent dangling cat-file calls (goroutine alternative) (#19454) (#19466)
+  * RepoAssignment ensure to close before overwrite (#19449) (#19460)
+  * Set correct PR status on 3way on conflict checking (#19457) (#19458)
+  * Mark TemplateLoading error as "UnprocessableEntity" (#19445) (#19446)
+
 ## [1.16.6](https://github.com/go-gitea/gitea/releases/tag/v1.16.6) - 2022-04-20

 * ENHANCEMENTS
@@ -25,6 +25,7 @@ import (
 	repo_module "code.gitea.io/gitea/modules/repository"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/storage"
+	"code.gitea.io/gitea/modules/util"
 	auth_service "code.gitea.io/gitea/services/auth"
 	"code.gitea.io/gitea/services/auth/source/oauth2"
 	"code.gitea.io/gitea/services/auth/source/smtp"
@@ -113,6 +114,10 @@ var (
 				Name:  "access-token",
 				Usage: "Generate access token for the user",
 			},
+			cli.BoolFlag{
+				Name:  "restricted",
+				Usage: "Make a restricted user account",
+			},
 		},
 	}

@@ -537,17 +542,26 @@ func runCreateUser(c *cli.Context) error {
 		changePassword = c.Bool("must-change-password")
 	}

+	restricted := util.OptionalBoolNone
+
+	if c.IsSet("restricted") {
+		restricted = util.OptionalBoolOf(c.Bool("restricted"))
+	}
+
 	u := &user_model.User{
 		Name:               username,
 		Email:              c.String("email"),
 		Passwd:             password,
-		IsActive:           true,
 		IsAdmin:            c.Bool("admin"),
 		MustChangePassword: changePassword,
-		Theme:              setting.UI.DefaultTheme,
 	}

-	if err := user_model.CreateUser(u); err != nil {
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive:     util.OptionalBoolTrue,
+		IsRestricted: restricted,
+	}
+
+	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
 		return fmt.Errorf("CreateUser: %v", err)
 	}

@@ -43,7 +43,7 @@ Vous devriez avoir une instance fonctionnelle de Gitea. Pour accèder à l'inter

 ## Named Volumes

-Ce guide aboutira à une installation avec les données Gita et PostgreSQL stockées dans des volumes nommés. Cela permet une sauvegarde, une restauration et des mises à niveau en toute simplicité.
+Ce guide aboutira à une installation avec les données Gitea et PostgreSQL stockées dans des volumes nommés. Cela permet une sauvegarde, une restauration et des mises à niveau en toute simplicité.

 ### The Database

@@ -37,7 +37,7 @@ require (
 	github.com/go-swagger/go-swagger v0.27.0
 	github.com/go-testfixtures/testfixtures/v3 v3.6.1
 	github.com/gobwas/glob v0.2.3
-	github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28
+	github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f
 	github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14
 	github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85
 	github.com/golang-jwt/jwt/v4 v4.3.0
@@ -102,7 +102,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	mvdan.cc/xurls/v2 v2.2.0
 	strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251
-	xorm.io/builder v0.3.9
+	xorm.io/builder v0.3.10
 	xorm.io/xorm v1.2.5
 )

@@ -649,8 +649,8 @@ github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28 h1:gBeyun7mySAKWg7Fb0GOcv0upX9bdaZScs8QcRo8mEY=
-github.com/gogs/chardet v0.0.0-20191104214054-4b6791f73a28/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
+github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
+github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14 h1:yXtpJr/LV6PFu4nTLgfjQdcMdzjbqqXMEnHfq0Or6p8=
 github.com/gogs/cron v0.0.0-20171120032916-9f6c956d3e14/go.mod h1:jPoNZLWDAqA5N3G5amEoiNbhVrmM+ZQEcnQvNQ2KaZk=
 github.com/gogs/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 h1:UjoPNDAQ5JPCjlxoJd6K8ALZqSDDhk2ymieAZOVaDg0=
@@ -2336,7 +2336,8 @@ sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sourcegraph.com/sourcegraph/appdash v0.0.0-20190731080439-ebfcffb1b5c0/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
 strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251 h1:mUcz5b3FJbP5Cvdq7Khzn6J9OCUQJaBwgBkCR+MOwSs=
 strk.kbt.io/projects/go/libravatar v0.0.0-20191008002943-06d1c002b251/go.mod h1:FJGmPh3vz9jSos1L/F91iAgnC/aejc0wIIrF2ZwJxdY=
-xorm.io/builder v0.3.9 h1:Sd65/LdWyO7LR8+Cbd+e7mm3sK/7U9k0jS3999IDHMc=
 xorm.io/builder v0.3.9/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
+xorm.io/builder v0.3.10 h1:Rvkncad3Lo9YIVqCbgIf6QnpR/HcW3IEr0AANNpuyMQ=
+xorm.io/builder v0.3.10/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
 xorm.io/xorm v1.2.5 h1:tqN7OhN8P9xi52qBb76I8m5maAJMz/SSbgK2RGPCPbo=
 xorm.io/xorm v1.2.5/go.mod h1:fTG8tSjk6O1BYxwuohZUK+S1glnRycsCF05L1qQyEU0=
@@ -112,6 +112,13 @@ func TestMain(m *testing.M) {
 		}
 	}

+	os.Unsetenv("GIT_AUTHOR_NAME")
+	os.Unsetenv("GIT_AUTHOR_EMAIL")
+	os.Unsetenv("GIT_AUTHOR_DATE")
+	os.Unsetenv("GIT_COMMITTER_NAME")
+	os.Unsetenv("GIT_COMMITTER_EMAIL")
+	os.Unsetenv("GIT_COMMITTER_DATE")
+
 	err := unittest.InitFixtures(
 		unittest.FixturesOptions{
 			Dir: filepath.Join(filepath.Dir(setting.AppPath), "models/fixtures/"),
@@ -25,6 +25,8 @@ import (
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/test"
 	"code.gitea.io/gitea/services/pull"
+	repo_service "code.gitea.io/gitea/services/repository"
+	files_service "code.gitea.io/gitea/services/repository/files"

 	"github.com/stretchr/testify/assert"
 	"github.com/unknwon/i18n"
@@ -65,7 +67,7 @@ func testPullCleanUp(t *testing.T, session *TestSession, user, repo, pullnum str

 func TestPullMerge(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
-		hookTasks, err := webhook.HookTasks(1, 1) //Retrieve previous hook number
+		hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
 		assert.NoError(t, err)
 		hookTasksLenBefore := len(hookTasks)

@@ -87,7 +89,7 @@ func TestPullMerge(t *testing.T) {

 func TestPullRebase(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
-		hookTasks, err := webhook.HookTasks(1, 1) //Retrieve previous hook number
+		hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
 		assert.NoError(t, err)
 		hookTasksLenBefore := len(hookTasks)

@@ -109,7 +111,7 @@ func TestPullRebase(t *testing.T) {

 func TestPullRebaseMerge(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
-		hookTasks, err := webhook.HookTasks(1, 1) //Retrieve previous hook number
+		hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
 		assert.NoError(t, err)
 		hookTasksLenBefore := len(hookTasks)

@@ -131,7 +133,7 @@ func TestPullRebaseMerge(t *testing.T) {

 func TestPullSquash(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
-		hookTasks, err := webhook.HookTasks(1, 1) //Retrieve previous hook number
+		hookTasks, err := webhook.HookTasks(1, 1) // Retrieve previous hook number
 		assert.NoError(t, err)
 		hookTasksLenBefore := len(hookTasks)

@@ -335,3 +337,74 @@ func TestCantMergeUnrelated(t *testing.T) {
 		gitRepo.Close()
 	})
 }
+
+func TestConflictChecking(t *testing.T) {
+	onGiteaRun(t, func(t *testing.T, giteaURL *url.URL) {
+		user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}).(*user_model.User)
+
+		// Create new clean repo to test conflict checking.
+		baseRepo, err := repo_service.CreateRepository(user, user, models.CreateRepoOptions{
+			Name:          "conflict-checking",
+			Description:   "Tempo repo",
+			AutoInit:      true,
+			Readme:        "Default",
+			DefaultBranch: "main",
+		})
+		assert.NoError(t, err)
+		assert.NotEmpty(t, baseRepo)
+
+		// create a commit on new branch.
+		_, err = files_service.CreateOrUpdateRepoFile(baseRepo, user, &files_service.UpdateRepoFileOptions{
+			TreePath:  "important_file",
+			Message:   "Add a important file",
+			Content:   "Just a non-important file",
+			IsNewFile: true,
+			OldBranch: "main",
+			NewBranch: "important-secrets",
+		})
+		assert.NoError(t, err)
+
+		// create a commit on main branch.
+		_, err = files_service.CreateOrUpdateRepoFile(baseRepo, user, &files_service.UpdateRepoFileOptions{
+			TreePath:  "important_file",
+			Message:   "Add a important file",
+			Content:   "Not the same content :P",
+			IsNewFile: true,
+			OldBranch: "main",
+			NewBranch: "main",
+		})
+		assert.NoError(t, err)
+
+		// create Pull to merge the important-secrets branch into main branch.
+		pullIssue := &models.Issue{
+			RepoID:   baseRepo.ID,
+			Title:    "PR with conflict!",
+			PosterID: user.ID,
+			Poster:   user,
+			IsPull:   true,
+		}
+
+		pullRequest := &models.PullRequest{
+			HeadRepoID: baseRepo.ID,
+			BaseRepoID: baseRepo.ID,
+			HeadBranch: "important-secrets",
+			BaseBranch: "main",
+			HeadRepo:   baseRepo,
+			BaseRepo:   baseRepo,
+			Type:       models.PullRequestGitea,
+		}
+		err = pull.NewPullRequest(baseRepo, pullIssue, nil, nil, pullRequest, nil)
+		assert.NoError(t, err)
+
+		issue := unittest.AssertExistsAndLoadBean(t, &models.Issue{Title: "PR with conflict!"}).(*models.Issue)
+		conflictingPR, err := models.GetPullRequestByIssueID(issue.ID)
+		assert.NoError(t, err)
+
+		// Ensure conflictedFiles is populated.
+		assert.Equal(t, 1, len(conflictingPR.ConflictedFiles))
+		// Check if status is correct.
+		assert.Equal(t, models.PullRequestStatusConflict, conflictingPR.Status)
+		// Ensure that mergeable returns false
+		assert.False(t, conflictingPR.Mergeable())
+	})
+}
@@ -337,7 +337,7 @@ func GetFeeds(opts GetFeedsOptions) ([]*Action, error) {

 	actions := make([]*Action, 0, setting.UI.FeedPagingNum)

-	if err := db.GetEngine(db.DefaultContext).Limit(setting.UI.FeedPagingNum).Desc("created_unix").Where(cond).Find(&actions); err != nil {
+	if err := db.GetEngine(db.DefaultContext).Limit(setting.UI.FeedPagingNum).Desc("`action`.created_unix").Where(cond).Join("INNER", "repository", "`repository`.id = `action`.repo_id").Find(&actions); err != nil {
 		return nil, fmt.Errorf("Find: %v", err)
 	}

@@ -401,7 +401,7 @@ func activityQueryCondition(opts GetFeedsOptions) (builder.Cond, error) {
 		cond = cond.And(builder.Eq{"act_user_id": opts.RequestedUser.ID})
 	}
 	if !opts.IncludePrivate {
-		cond = cond.And(builder.Eq{"is_private": false})
+		cond = cond.And(builder.Eq{"`action`.is_private": false})
 	}
 	if !opts.IncludeDeleted {
 		cond = cond.And(builder.Eq{"is_deleted": false})
@@ -414,8 +414,8 @@ func activityQueryCondition(opts GetFeedsOptions) (builder.Cond, error) {
 		} else {
 			dateHigh := dateLow.Add(86399000000000) // 23h59m59s

-			cond = cond.And(builder.Gte{"created_unix": dateLow.Unix()})
-			cond = cond.And(builder.Lte{"created_unix": dateHigh.Unix()})
+			cond = cond.And(builder.Gte{"`action`.created_unix": dateLow.Unix()})
+			cond = cond.And(builder.Lte{"`action`.created_unix": dateHigh.Unix()})
 		}
 	}

@@ -129,3 +129,20 @@ func TestNotifyWatchers(t *testing.T) {
 		OpType:    action.OpType,
 	})
 }
+
+func TestGetFeedsCorrupted(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 1}).(*user_model.User)
+	unittest.AssertExistsAndLoadBean(t, &Action{
+		ID:     8,
+		RepoID: 1700,
+	})
+
+	actions, err := GetFeeds(GetFeedsOptions{
+		RequestedUser:  user,
+		Actor:          user,
+		IncludePrivate: true,
+	})
+	assert.NoError(t, err)
+	assert.Len(t, actions, 0)
+}
@@ -9,6 +9,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/setting"

 	"xorm.io/builder"
 )
@@ -247,3 +248,23 @@ func FixIssueLabelWithOutsideLabels() (int64, error) {

 	return res.RowsAffected()
 }
+
+// CountActionCreatedUnixString count actions where created_unix is an empty string
+func CountActionCreatedUnixString() (int64, error) {
+	if setting.Database.UseSQLite3 {
+		return db.GetEngine(db.DefaultContext).Where(`created_unix = ""`).Count(new(Action))
+	}
+	return 0, nil
+}
+
+// FixActionCreatedUnixString set created_unix to zero if it is an empty string
+func FixActionCreatedUnixString() (int64, error) {
+	if setting.Database.UseSQLite3 {
+		res, err := db.GetEngine(db.DefaultContext).Exec(`UPDATE action SET created_unix = 0 WHERE created_unix = ""`)
+		if err != nil {
+			return 0, err
+		}
+		return res.RowsAffected()
+	}
+	return 0, nil
+}
@@ -9,6 +9,7 @@ import (

 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/setting"

 	"github.com/stretchr/testify/assert"
 )
@@ -33,3 +34,46 @@ func TestDeleteOrphanedObjects(t *testing.T) {
 	assert.NoError(t, err)
 	assert.EqualValues(t, countBefore, countAfter)
 }
+
+func TestConsistencyUpdateAction(t *testing.T) {
+	if !setting.Database.UseSQLite3 {
+		t.Skip("Test is only for SQLite database.")
+	}
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	id := 8
+	unittest.AssertExistsAndLoadBean(t, &Action{
+		ID: int64(id),
+	})
+	_, err := db.GetEngine(db.DefaultContext).Exec(`UPDATE action SET created_unix = "" WHERE id = ?`, id)
+	assert.NoError(t, err)
+	actions := make([]*Action, 0, 1)
+	//
+	// XORM returns an error when created_unix is a string
+	//
+	err = db.GetEngine(db.DefaultContext).Where("id = ?", id).Find(&actions)
+	if assert.Error(t, err) {
+		assert.Contains(t, err.Error(), "type string to a int64: invalid syntax")
+	}
+	//
+	// Get rid of incorrectly set created_unix
+	//
+	count, err := CountActionCreatedUnixString()
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, count)
+	count, err = FixActionCreatedUnixString()
+	assert.NoError(t, err)
+	assert.EqualValues(t, 1, count)
+
+	count, err = CountActionCreatedUnixString()
+	assert.NoError(t, err)
+	assert.EqualValues(t, 0, count)
+	count, err = FixActionCreatedUnixString()
+	assert.NoError(t, err)
+	assert.EqualValues(t, 0, count)
+
+	//
+	// XORM must be happy now
+	//
+	assert.NoError(t, db.GetEngine(db.DefaultContext).Where("id = ?", id).Find(&actions))
+	unittest.CheckConsistencyFor(t, &Action{})
+}
@@ -332,7 +332,6 @@ type ErrInvalidCloneAddr struct {
 	IsProtocolInvalid  bool
 	IsPermissionDenied bool
 	LocalPath          bool
-	NotResolvedIP      bool
 }

 // IsErrInvalidCloneAddr checks if an error is a ErrInvalidCloneAddr.
@@ -342,9 +341,6 @@ func IsErrInvalidCloneAddr(err error) bool {
 }

 func (err *ErrInvalidCloneAddr) Error() string {
-	if err.NotResolvedIP {
-		return fmt.Sprintf("migration/cloning from '%s' is not allowed: unknown hostname", err.Host)
-	}
 	if err.IsInvalidPath {
 		return fmt.Sprintf("migration/cloning from '%s' is not allowed: the provided path is invalid", err.Host)
 	}
@@ -56,3 +56,11 @@
  repo_id: 8
  is_private: false
  created_unix: 1603011540 # grouped with id:7
+
+- id: 8
+  user_id: 1
+  op_type: 12 # close issue
+  act_user_id: 1
+  repo_id: 1700 # dangling intentional
+  is_private: false
+  created_unix: 1603011541
@@ -1165,7 +1165,8 @@ func GetIssuesByIDs(issueIDs []int64) ([]*Issue, error) {
 // IssuesOptions represents options of an issue.
 type IssuesOptions struct {
 	db.ListOptions
-	RepoIDs            []int64 // include all repos if empty
+	RepoID             int64 // overwrites RepoCond if not 0
+	RepoCond           builder.Cond
 	AssigneeID         int64
 	PosterID           int64
 	MentionedID        int64
@@ -1256,15 +1257,15 @@ func (opts *IssuesOptions) setupSessionNoLimit(sess *xorm.Session) {
 		sess.In("issue.id", opts.IssueIDs)
 	}

-	if len(opts.RepoIDs) > 0 {
-		applyReposCondition(sess, opts.RepoIDs)
+	if opts.RepoID != 0 {
+		opts.RepoCond = builder.Eq{"issue.repo_id": opts.RepoID}
+	}
+	if opts.RepoCond != nil {
+		sess.And(opts.RepoCond)
 	}

-	switch opts.IsClosed {
-	case util.OptionalBoolTrue:
-		sess.And("issue.is_closed=?", true)
-	case util.OptionalBoolFalse:
-		sess.And("issue.is_closed=?", false)
+	if !opts.IsClosed.IsNone() {
+		sess.And("issue.is_closed=?", opts.IsClosed.IsTrue())
 	}

 	if opts.AssigneeID > 0 {
@@ -1345,9 +1346,7 @@ func (opts *IssuesOptions) setupSessionNoLimit(sess *xorm.Session) {
 	}

 	if opts.User != nil {
-		sess.And(
-			issuePullAccessibleRepoCond("issue.repo_id", opts.User.ID, opts.Org, opts.Team, opts.IsPull.IsTrue()),
-		)
+		sess.And(issuePullAccessibleRepoCond("issue.repo_id", opts.User.ID, opts.Org, opts.Team, opts.IsPull.IsTrue()))
 	}
 }

@@ -1383,10 +1382,6 @@ func issuePullAccessibleRepoCond(repoIDstr string, userID int64, org *Organizati
 	return cond
 }

-func applyReposCondition(sess *xorm.Session, repoIDs []int64) *xorm.Session {
-	return sess.In("issue.repo_id", repoIDs)
-}
-
 func applyAssigneeCondition(sess *xorm.Session, assigneeID int64) *xorm.Session {
 	return sess.Join("INNER", "issue_assignees", "issue.id = issue_assignees.issue_id").
 		And("issue_assignees.assignee_id = ?", assigneeID)
@@ -1416,7 +1411,6 @@ func CountIssuesByRepo(opts *IssuesOptions) (map[int64]int64, error) {
 	e := db.GetEngine(db.DefaultContext)

 	sess := e.Join("INNER", "repository", "`issue`.repo_id = `repository`.id")
-
 	opts.setupSessionNoLimit(sess)

 	countsSlice := make([]*struct {
@@ -1443,7 +1437,6 @@ func GetRepoIDsForIssuesOptions(opts *IssuesOptions, user *user_model.User) ([]i
 	e := db.GetEngine(db.DefaultContext)

 	sess := e.Join("INNER", "repository", "`issue`.repo_id = `repository`.id")
-
 	opts.setupSessionNoLimit(sess)

 	accessCond := accessibleRepositoryCondition(user)
@@ -1488,6 +1481,7 @@ func CountIssues(opts *IssuesOptions) (int64, error) {
 	sess := e.Select("COUNT(issue.id) AS count").Table("issue")
 	sess.Join("INNER", "repository", "`issue`.repo_id = `repository`.id")
 	opts.setupSessionNoLimit(sess)
+
 	if err := sess.Find(&countsSlice); err != nil {
 		return 0, fmt.Errorf("unable to CountIssues: %w", err)
 	}
@@ -101,12 +101,9 @@ func (label *Label) CalOpenIssues() {

 // CalOpenOrgIssues calculates the open issues of a label for a specific repo
 func (label *Label) CalOpenOrgIssues(repoID, labelID int64) {
-	repoIDs := []int64{repoID}
-	labelIDs := []int64{labelID}
-
 	counts, _ := CountIssuesByRepo(&IssuesOptions{
-		RepoIDs:  repoIDs,
-		LabelIDs: labelIDs,
+		RepoID:   repoID,
+		LabelIDs: []int64{labelID},
 	})

 	for _, count := range counts {
@@ -17,6 +17,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"

 	"github.com/stretchr/testify/assert"
+	"xorm.io/builder"
 )

 func TestIssue_ReplaceLabels(t *testing.T) {
@@ -153,7 +154,7 @@ func TestIssues(t *testing.T) {
 		},
 		{
 			IssuesOptions{
-				RepoIDs:  []int64{1, 3},
+				RepoCond: builder.In("repo_id", 1, 3),
 				SortType: "oldest",
 				ListOptions: db.ListOptions{
 					Page:     1,
@@ -340,7 +341,7 @@ func TestGetRepoIDsForIssuesOptions(t *testing.T) {
 		},
 		{
 			IssuesOptions{
-				RepoIDs: []int64{1, 2},
+				RepoCond: builder.In("repo_id", 1, 2),
 			},
 			[]int64{1, 2},
 		},
@@ -453,7 +453,7 @@ Please try upgrading to a lower version first (suggested v1.6.4), then upgrade t

 	// Downgrading Gitea's database version not supported
 	if int(v-minDBVersion) > len(migrations) {
-		msg := fmt.Sprintf("Your database (migration version: %d) is for a newer Gita, you can not use the newer database for this old Gitea release (%d).", v, minDBVersion+len(migrations))
+		msg := fmt.Sprintf("Your database (migration version: %d) is for a newer Gitea, you can not use the newer database for this old Gitea release (%d).", v, minDBVersion+len(migrations))
 		msg += "\nGitea will exit to keep your database safe and unchanged. Please use the correct Gitea release, do not change the migration version manually (incorrect manual operation may lose data)."
 		if !setting.IsProd {
 			msg += fmt.Sprintf("\nIf you are in development and really know what you're doing, you can force changing the migration version by executing: UPDATE version SET version=%d WHERE id=1;", minDBVersion+len(migrations))
@@ -697,3 +697,14 @@ func (pr *PullRequest) GetHeadBranchHTMLURL() string {
 	}
 	return pr.HeadRepo.HTMLURL() + "/src/branch/" + util.PathEscapeSegments(pr.HeadBranch)
 }
+
+// Mergeable returns if the pullrequest is mergeable.
+func (pr *PullRequest) Mergeable() bool {
+	// If a pull request isn't mergable if it's:
+	// - Being conflict checked.
+	// - Has a conflict.
+	// - Received a error while being conflict checked.
+	// - Is a work-in-progress pull request.
+	return pr.Status != PullRequestStatusChecking && pr.Status != PullRequestStatusConflict &&
+		pr.Status != PullRequestStatusError && !pr.IsWorkInProgress()
+}
@@ -132,7 +132,7 @@ func CheckRepoUnitUser(repo *repo_model.Repository, user *user_model.User, unitT
 }

 func checkRepoUnitUser(ctx context.Context, repo *repo_model.Repository, user *user_model.User, unitType unit.Type) bool {
-	if user.IsAdmin {
+	if user != nil && user.IsAdmin {
 		return true
 	}
 	perm, err := getUserRepoPermission(ctx, repo, user)
@@ -233,14 +233,28 @@ func teamUnitsRepoCond(id string, userID, orgID, teamID int64, units ...unit.Typ
 		builder.Select("repo_id").From("team_repo").Where(
 			builder.Eq{
 				"team_id": teamID,
-			}.And(
+			}.And(builder.Or(
+				// Check if the user is member of the team.
 				builder.In(
 					"team_id", builder.Select("team_id").From("team_user").Where(
 						builder.Eq{
 							"uid": userID,
 						},
 					),
-				)).And(
+				),
+				// Check if the user is in the owner team of the organisation.
+				builder.Exists(builder.Select("team_id").From("team_user").
+					Where(builder.Eq{
+						"org_id": orgID,
+						"team_id": builder.Select("id").From("team").Where(
+							builder.Eq{
+								"org_id":     orgID,
+								"lower_name": strings.ToLower(ownerTeamName),
+							}),
+						"uid": userID,
+					}),
+				),
+			)).And(
 				builder.In(
 					"team_id", builder.Select("team_id").From("team_unit").Where(
 						builder.Eq{
@@ -175,8 +175,10 @@ func init() {

 	checkForActionConsistency := func(t assert.TestingT, bean interface{}) {
 		action := reflectionWrap(bean)
-		repoRow := AssertExistsAndLoadMap(t, "repository", builder.Eq{"id": action.int("RepoID")})
-		assert.Equal(t, parseBool(repoRow["is_private"]), action.bool("IsPrivate"), "action: %+v", action)
+		if action.int("RepoID") != 1700 { // dangling intentional
+			repoRow := AssertExistsAndLoadMap(t, "repository", builder.Eq{"id": action.int("RepoID")})
+			assert.Equal(t, parseBool(repoRow["is_private"]), action.bool("IsPrivate"), "action: %+v", action)
+		}
 	}

 	consistencyCheckMap["user"] = checkForUserConsistency
@@ -13,6 +13,7 @@ import (
 	_ "image/jpeg" // Needed for jpeg support

 	asymkey_model "code.gitea.io/gitea/models/asymkey"
+	auth_model "code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
@@ -83,6 +84,11 @@ func DeleteUser(ctx context.Context, u *user_model.User) (err error) {
 	}
 	// ***** END: Follow *****

+	if _, err := db.GetEngine(ctx).In("grant_id", builder.Select("id").From("oauth2_grant").Where(builder.Eq{"oauth2_grant.user_id": u.ID})).
+		Delete(&auth_model.OAuth2AuthorizationCode{}); err != nil {
+		return err
+	}
+
 	if err = deleteBeans(e,
 		&AccessToken{UID: u.ID},
 		&Collaboration{UserID: u.ID},
@@ -100,6 +106,8 @@ func DeleteUser(ctx context.Context, u *user_model.User) (err error) {
 		&Collaboration{UserID: u.ID},
 		&Stopwatch{UserID: u.ID},
 		&user_model.Setting{UserID: u.ID},
+		&auth_model.OAuth2Application{UID: u.ID},
+		&auth_model.OAuth2Grant{UserID: u.ID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %v", err)
 	}
@@ -622,7 +622,14 @@ func IsUsableUsername(name string) error {

 // CreateUserOverwriteOptions are an optional options who overwrite system defaults on user creation
 type CreateUserOverwriteOptions struct {
-	Visibility structs.VisibleType
+	KeepEmailPrivate             util.OptionalBool
+	Visibility                   *structs.VisibleType
+	AllowCreateOrganization      util.OptionalBool
+	EmailNotificationsPreference *string
+	MaxRepoCreation              *int
+	Theme                        *string
+	IsRestricted                 util.OptionalBool
+	IsActive                     util.OptionalBool
 }

 // CreateUser creates record of a new user.
@@ -638,10 +645,36 @@ func CreateUser(u *User, overwriteDefault ...*CreateUserOverwriteOptions) (err e
 	u.EmailNotificationsPreference = setting.Admin.DefaultEmailNotification
 	u.MaxRepoCreation = -1
 	u.Theme = setting.UI.DefaultTheme
+	u.IsRestricted = setting.Service.DefaultUserIsRestricted
+	u.IsActive = !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm)

 	// overwrite defaults if set
 	if len(overwriteDefault) != 0 && overwriteDefault[0] != nil {
-		u.Visibility = overwriteDefault[0].Visibility
+		overwrite := overwriteDefault[0]
+		if !overwrite.KeepEmailPrivate.IsNone() {
+			u.KeepEmailPrivate = overwrite.KeepEmailPrivate.IsTrue()
+		}
+		if overwrite.Visibility != nil {
+			u.Visibility = *overwrite.Visibility
+		}
+		if !overwrite.AllowCreateOrganization.IsNone() {
+			u.AllowCreateOrganization = overwrite.AllowCreateOrganization.IsTrue()
+		}
+		if overwrite.EmailNotificationsPreference != nil {
+			u.EmailNotificationsPreference = *overwrite.EmailNotificationsPreference
+		}
+		if overwrite.MaxRepoCreation != nil {
+			u.MaxRepoCreation = *overwrite.MaxRepoCreation
+		}
+		if overwrite.Theme != nil {
+			u.Theme = *overwrite.Theme
+		}
+		if !overwrite.IsRestricted.IsNone() {
+			u.IsRestricted = overwrite.IsRestricted.IsTrue()
+		}
+		if !overwrite.IsActive.IsNone() {
+			u.IsActive = overwrite.IsActive.IsTrue()
+		}
 	}

 	// validate data
@@ -288,6 +288,7 @@ func APIContexter() func(http.Handler) http.Handler {
 				},
 				Org: &APIOrganization{},
 			}
+			defer ctx.Close()

 			ctx.Req = WithAPIContext(WithContext(req, ctx.Context), &ctx)
 			ctx.csrf = Csrfer(csrfOpts, ctx.Context)
@@ -71,6 +71,16 @@ type Context struct {
 	Org  *Organization
 }

+// Close frees all resources hold by Context
+func (ctx *Context) Close() error {
+	var err error
+	if ctx.Req != nil && ctx.Req.MultipartForm != nil {
+		err = ctx.Req.MultipartForm.RemoveAll() // remove the temp files buffered to tmp directory
+	}
+	// TODO: close opened repo, and more
+	return err
+}
+
 // TrHTMLEscapeArgs runs Tr but pre-escapes all arguments with html.EscapeString.
 // This is useful if the locale message is intended to only produce HTML content.
 func (ctx *Context) TrHTMLEscapeArgs(msg string, args ...string) string {
@@ -643,6 +653,8 @@ func Contexter() func(next http.Handler) http.Handler {
 					"RunModeIsProd": setting.IsProd,
 				},
 			}
+			defer ctx.Close()
+
 			// PageData is passed by reference, and it will be rendered to `window.config.pageData` in `head.tmpl` for JavaScript modules
 			ctx.PageData = map[string]interface{}{}
 			ctx.Data["PageData"] = ctx.PageData
@@ -70,12 +70,6 @@ func HandleOrgAssignment(ctx *Context, args ...bool) {
 	org := ctx.Org.Organization
 	ctx.Data["Org"] = org

-	teams, err := org.LoadTeams()
-	if err != nil {
-		ctx.ServerError("LoadTeams", err)
-	}
-	ctx.Data["OrgTeams"] = teams
-
 	// Admin has super access.
 	if ctx.IsSigned && ctx.User.IsAdmin {
 		ctx.Org.IsOwner = true
@@ -38,6 +38,8 @@ func PrivateContexter() func(http.Handler) http.Handler {
 					Data: map[string]interface{}{},
 				},
 			}
+			defer ctx.Close()
+
 			ctx.Req = WithPrivateContext(req, ctx)
 			next.ServeHTTP(ctx.Resp, ctx.Req)
 		})
@@ -410,6 +410,12 @@ func RepoIDAssignment() func(ctx *Context) {

 // RepoAssignment returns a middleware to handle repository assignment
 func RepoAssignment(ctx *Context) (cancel context.CancelFunc) {
+	if _, repoAssignmentOnce := ctx.Data["repoAssignmentExecuted"]; repoAssignmentOnce {
+		log.Trace("RepoAssignment was exec already, skipping second call ...")
+		return
+	}
+	ctx.Data["repoAssignmentExecuted"] = true
+
 	var (
 		owner *user_model.User
 		err   error
@@ -592,6 +598,9 @@ func RepoAssignment(ctx *Context) (cancel context.CancelFunc) {
 		ctx.ServerError("RepoAssignment Invalid repo "+repo_model.RepoPath(userName, repoName), err)
 		return
 	}
+	if ctx.Repo.GitRepo != nil {
+		ctx.Repo.GitRepo.Close()
+	}
 	ctx.Repo.GitRepo = gitRepo

 	// We opened it, we should close it
@@ -67,6 +67,7 @@ func ToAPIPullRequest(pr *models.PullRequest, doer *user_model.User) *api.PullRe
 		PatchURL:  pr.Issue.PatchURL(),
 		HasMerged: pr.HasMerged,
 		MergeBase: pr.MergeBase,
+		Mergeable: pr.Mergeable(),
 		Deadline:  apiIssue.Deadline,
 		Created:   pr.Issue.CreatedUnix.AsTimePtr(),
 		Updated:   pr.Issue.UpdatedUnix.AsTimePtr(),
@@ -190,10 +191,6 @@ func ToAPIPullRequest(pr *models.PullRequest, doer *user_model.User) *api.PullRe
 		}
 	}

-	if pr.Status != models.PullRequestStatusChecking {
-		mergeable := !(pr.Status == models.PullRequestStatusConflict || pr.Status == models.PullRequestStatusError) && !pr.IsWorkInProgress()
-		apiPullRequest.Mergeable = mergeable
-	}
 	if pr.HasMerged {
 		apiPullRequest.Merged = pr.MergedUnix.AsTimePtr()
 		apiPullRequest.MergedCommitID = &pr.MergedCommitID
@@ -71,8 +71,8 @@ func checkAuthorizedKeys(logger log.Logger, autofix bool) error {
 				"authorized_keys file %q is out of date.\nRegenerate it with:\n\t\"%s\"\nor\n\t\"%s\"",
 				fPath,
 				"gitea admin regenerate keys",
-				"gitea doctor --run authorized_keys --fix")
-			return fmt.Errorf(`authorized_keys is out of date and should be regenerated with "gitea admin regenerate keys" or "gitea doctor --run authorized_keys --fix"`)
+				"gitea doctor --run authorized-keys --fix")
+			return fmt.Errorf(`authorized_keys is out of date and should be regenerated with "gitea admin regenerate keys" or "gitea doctor --run authorized-keys --fix"`)
 		}
 		logger.Warn("authorized_keys is out of date. Attempting rewrite...")
 		err = asymkey_model.RewriteAllPublicKeys()
@@ -142,6 +142,12 @@ func checkDBConsistency(logger log.Logger, autofix bool) error {
 			Fixer:        models.FixIssueLabelWithOutsideLabels,
 			FixedMessage: "Removed",
 		},
+		{
+			Name:         "Action with created_unix set as an empty string",
+			Counter:      models.CountActionCreatedUnixString,
+			Fixer:        models.FixActionCreatedUnixString,
+			FixedMessage: "Set to zero",
+		},
 	}

 	// TODO: function to recalc all counters
@@ -177,6 +183,18 @@ func checkDBConsistency(logger log.Logger, autofix bool) error {
 		// find access without repository
 		genericOrphanCheck("Access entries without existing repository",
 			"access", "repository", "access.repo_id=repository.id"),
+		// find action without repository
+		genericOrphanCheck("Action entries without existing repository",
+			"action", "repository", "action.repo_id=repository.id"),
+		// find OAuth2Grant without existing user
+		genericOrphanCheck("Orphaned OAuth2Grant without existing User",
+			"oauth2_grant", "user", "oauth2_grant.user_id=user.id"),
+		// find OAuth2Application without existing user
+		genericOrphanCheck("Orphaned OAuth2Application without existing User",
+			"oauth2_application", "user", "oauth2_application.uid=user.id"),
+		// find OAuth2AuthorizationCode without existing OAuth2Grant
+		genericOrphanCheck("Orphaned OAuth2AuthorizationCode without existing OAuth2Grant",
+			"oauth2_authorization_code", "oauth2_grant", "oauth2_authorization_code.grant_id=oauth2_grant.id"),
 	)

 	for _, c := range consistencyChecks {
@@ -54,6 +54,12 @@ func CatFileBatchCheck(ctx context.Context, repoPath string) (WriteCloserError,
 		<-closed
 	}

+	// Ensure cancel is called as soon as the provided context is cancelled
+	go func() {
+		<-ctx.Done()
+		cancel()
+	}()
+
 	_, filename, line, _ := runtime.Caller(2)
 	filename = strings.TrimPrefix(filename, callerPrefix)

@@ -93,6 +99,12 @@ func CatFileBatch(ctx context.Context, repoPath string) (WriteCloserError, *bufi
 		<-closed
 	}

+	// Ensure cancel is called as soon as the provided context is cancelled
+	go func() {
+		<-ctx.Done()
+		cancel()
+	}()
+
 	_, filename, line, _ := runtime.Caller(2)
 	filename = strings.TrimPrefix(filename, callerPrefix)

@@ -119,12 +119,10 @@ type CheckAttributeReader struct {
 	env         []string
 	ctx         context.Context
 	cancel      context.CancelFunc
-	running     chan struct{}
 }

 // Init initializes the cmd
 func (c *CheckAttributeReader) Init(ctx context.Context) error {
-	c.running = make(chan struct{})
 	cmdArgs := []string{"check-attr", "--stdin", "-z"}

 	if len(c.IndexFile) > 0 && CheckGitVersionAtLeast("1.7.8") == nil {
@@ -183,14 +181,7 @@ func (c *CheckAttributeReader) Run() error {
 		_ = c.stdOut.Close()
 	}()
 	stdErr := new(bytes.Buffer)
-	err := c.cmd.RunInDirTimeoutEnvFullPipelineFunc(c.env, -1, c.Repo.Path, c.stdOut, stdErr, c.stdinReader, func(_ context.Context, _ context.CancelFunc) error {
-		select {
-		case <-c.running:
-		default:
-			close(c.running)
-		}
-		return nil
-	})
+	err := c.cmd.RunInDirTimeoutEnvFullPipeline(c.env, -1, c.Repo.Path, c.stdOut, stdErr, c.stdinReader)
 	if err != nil && //                      If there is an error we need to return but:
 		c.ctx.Err() != err && //             1. Ignore the context error if the context is cancelled or exceeds the deadline (RunWithContext could return c.ctx.Err() which is Canceled or DeadlineExceeded)
 		err.Error() != "signal: killed" { // 2. We should not pass up errors due to the program being killed
@@ -210,7 +201,7 @@ func (c *CheckAttributeReader) CheckPath(path string) (rs map[string]string, err
 	select {
 	case <-c.ctx.Done():
 		return nil, c.ctx.Err()
-	case <-c.running:
+	default:
 	}

 	if _, err = c.stdinWriter.Write([]byte(path + "\x00")); err != nil {
@@ -237,11 +228,6 @@ func (c *CheckAttributeReader) CheckPath(path string) (rs map[string]string, err
 func (c *CheckAttributeReader) Close() error {
 	c.cancel()
 	err := c.stdinWriter.Close()
-	select {
-	case <-c.running:
-	default:
-		close(c.running)
-	}
 	return err
 }

@@ -127,13 +127,18 @@ func (hl *HostMatchList) checkIP(ip net.IP) bool {

 // MatchHostName checks if the host matches an allow/deny(block) list
 func (hl *HostMatchList) MatchHostName(host string) bool {
+	hostname, _, err := net.SplitHostPort(host)
+	if err != nil {
+		hostname = host
+	}
+
 	if hl == nil {
 		return false
 	}
-	if hl.checkPattern(host) {
+	if hl.checkPattern(hostname) {
 		return true
 	}
-	if ip := net.ParseIP(host); ip != nil {
+	if ip := net.ParseIP(hostname); ip != nil {
 		return hl.checkIP(ip)
 	}
 	return false
@@ -38,6 +38,7 @@ func TestHostOrIPMatchesList(t *testing.T) {

 		{"", net.ParseIP("10.0.1.1"), true},
 		{"10.0.1.1", nil, true},
+		{"10.0.1.1:8080", nil, true},
 		{"", net.ParseIP("192.168.1.1"), true},
 		{"192.168.1.1", nil, true},
 		{"", net.ParseIP("fd00::1"), true},
@@ -48,6 +49,7 @@ func TestHostOrIPMatchesList(t *testing.T) {

 		{"mydomain.com", net.IPv4zero, false},
 		{"sub.mydomain.com", net.IPv4zero, true},
+		{"sub.mydomain.com:8080", net.IPv4zero, true},

 		{"", net.ParseIP("169.254.1.1"), true},
 		{"169.254.1.1", nil, true},
@@ -130,7 +130,7 @@ func Init() {
 		log.Info("PID: %d Repository Indexer closed", os.Getpid())
 	})

-	waitChannel := make(chan time.Duration)
+	waitChannel := make(chan time.Duration, 1)

 	// Create the Queue
 	switch setting.Indexer.RepoType {
@@ -98,7 +98,7 @@ var (
 // InitIssueIndexer initialize issue indexer, syncReindex is true then reindex until
 // all issue index done.
 func InitIssueIndexer(syncReindex bool) {
-	waitChannel := make(chan time.Duration)
+	waitChannel := make(chan time.Duration, 1)

 	// Create the Queue
 	switch setting.Indexer.IssueType {
@@ -272,7 +272,7 @@ func populateIssueIndexer(ctx context.Context) {
 // UpdateRepoIndexer add/update all issues of the repositories
 func UpdateRepoIndexer(repo *repo_model.Repository) {
 	is, err := models.Issues(&models.IssuesOptions{
-		RepoIDs:  []int64{repo.ID},
+		RepoID:   repo.ID,
 		IsClosed: util.OptionalBoolNone,
 		IsPull:   util.OptionalBoolNone,
 	})
@@ -19,6 +19,10 @@ import (
 // they use to detect if there is a block and will grow and shrink in
 // response to demand as per configuration.
 type WorkerPool struct {
+	// This field requires to be the first one in the struct.
+	// This is to allow 64 bit atomic operations on 32-bit machines.
+	// See: https://pkg.go.dev/sync/atomic#pkg-note-BUG & Gitea issue 19518
+	numInQueue         int64
 	lock               sync.Mutex
 	baseCtx            context.Context
 	baseCtxCancel      context.CancelFunc
@@ -32,7 +36,6 @@ type WorkerPool struct {
 	blockTimeout       time.Duration
 	boostTimeout       time.Duration
 	boostWorkers       int
-	numInQueue         int64
 }

 // WorkerPoolConfiguration is the basic configuration for a WorkerPool
@@ -92,7 +92,7 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 				return repo, fmt.Errorf("Failed to remove %s: %v", wikiPath, err)
 			}

-			if err = git.CloneWithContext(ctx, wikiRemotePath, wikiPath, git.CloneRepoOptions{
+			if err := git.CloneWithContext(ctx, wikiRemotePath, wikiPath, git.CloneRepoOptions{
 				Mirror:        true,
 				Quiet:         true,
 				Timeout:       migrateTimeout,
@@ -103,11 +103,12 @@ func MigrateRepositoryGitData(ctx context.Context, u *user_model.User,
 				if err := util.RemoveAll(wikiPath); err != nil {
 					return repo, fmt.Errorf("Failed to remove %s: %v", wikiPath, err)
 				}
+			} else {
+				if err := git.WriteCommitGraph(ctx, wikiPath); err != nil {
+					return repo, err
+				}
 			}
 		}
-		if err := git.WriteCommitGraph(ctx, wikiPath); err != nil {
-			return repo, err
-		}
 	}

 	if repo.OwnerID == u.ID {
@@ -19,6 +19,7 @@ type CreateUserOption struct {
 	Password           string `json:"password" binding:"Required;MaxSize(255)"`
 	MustChangePassword *bool  `json:"must_change_password"`
 	SendNotify         bool   `json:"send_notify"`
+	Restricted         *bool  `json:"restricted"`
 	Visibility         string `json:"visibility" binding:"In(,public,limited,private)"`
 }

@@ -39,6 +39,7 @@ func MockContext(t *testing.T, path string) *context.Context {
 		Resp:   context.NewResponse(resp),
 		Locale: &mockLocale{},
 	}
+	defer ctx.Close()

 	requestURL, err := url.Parse(path)
 	assert.NoError(t, err)
@@ -22,6 +22,7 @@ import (
 	"code.gitea.io/gitea/modules/password"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/user"
 	"code.gitea.io/gitea/routers/api/v1/utils"
@@ -81,7 +82,6 @@ func CreateUser(ctx *context.APIContext) {
 		Email:              form.Email,
 		Passwd:             form.Password,
 		MustChangePassword: true,
-		IsActive:           true,
 		LoginType:          auth.Plain,
 	}
 	if form.MustChangePassword != nil {
@@ -107,11 +107,17 @@ func CreateUser(ctx *context.APIContext) {
 		return
 	}

-	var overwriteDefault *user_model.CreateUserOverwriteOptions
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive: util.OptionalBoolTrue,
+	}
+
+	if form.Restricted != nil {
+		overwriteDefault.IsRestricted = util.OptionalBoolOf(*form.Restricted)
+	}
+
 	if form.Visibility != "" {
-		overwriteDefault = &user_model.CreateUserOverwriteOptions{
-			Visibility: api.VisibilityModes[form.Visibility],
-		}
+		visibility := api.VisibilityModes[form.Visibility]
+		overwriteDefault.Visibility = &visibility
 	}

 	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
@@ -35,6 +35,8 @@ func createContext(req *http.Request) (*context.Context, *httptest.ResponseRecor
 		Render: rnd,
 		Data:   make(map[string]interface{}),
 	}
+	defer c.Close()
+
 	return c, resp
 }

@@ -214,7 +214,7 @@ func ReadRepoNotifications(ctx *context.APIContext) {
 		targetStatus = models.NotificationStatusRead
 	}

-	changed := make([]*structs.NotificationThread, len(nl))
+	changed := make([]*structs.NotificationThread, 0, len(nl))

 	for _, n := range nl {
 		notif, err := models.SetNotificationStatus(n.ID, ctx.User, targetStatus)
@@ -177,23 +177,18 @@ func CreateBranch(ctx *context.APIContext) {
 	}

 	err := repo_service.CreateNewBranch(ctx.User, ctx.Repo.Repository, opt.OldBranchName, opt.BranchName)
-
 	if err != nil {
 		if models.IsErrBranchDoesNotExist(err) {
 			ctx.Error(http.StatusNotFound, "", "The old branch does not exist")
 		}
 		if models.IsErrTagAlreadyExists(err) {
 			ctx.Error(http.StatusConflict, "", "The branch with the same tag already exists.")
-
 		} else if models.IsErrBranchAlreadyExists(err) || git.IsErrPushOutOfDate(err) {
 			ctx.Error(http.StatusConflict, "", "The branch already exists.")
-
 		} else if models.IsErrBranchNameConflict(err) {
 			ctx.Error(http.StatusConflict, "", "The branch with the same name already exists.")
-
 		} else {
 			ctx.Error(http.StatusInternalServerError, "CreateRepoBranch", err)
-
 		}
 		return
 	}
@@ -263,10 +258,15 @@ func ListBranches(ctx *context.APIContext) {
 		return
 	}

-	apiBranches := make([]*api.Branch, len(branches))
+	apiBranches := make([]*api.Branch, 0, len(branches))
 	for i := range branches {
 		c, err := branches[i].GetCommit()
 		if err != nil {
+			// Skip if this branch doesn't exist anymore.
+			if git.IsErrNotExist(err) {
+				totalNumOfBranches--
+				continue
+			}
 			ctx.Error(http.StatusInternalServerError, "GetCommit", err)
 			return
 		}
@@ -275,11 +275,12 @@ func ListBranches(ctx *context.APIContext) {
 			ctx.Error(http.StatusInternalServerError, "GetBranchProtection", err)
 			return
 		}
-		apiBranches[i], err = convert.ToBranch(ctx.Repo.Repository, branches[i], c, branchProtection, ctx.User, ctx.Repo.IsAdmin())
+		apiBranch, err := convert.ToBranch(ctx.Repo.Repository, branches[i], c, branchProtection, ctx.User, ctx.Repo.IsAdmin())
 		if err != nil {
 			ctx.Error(http.StatusInternalServerError, "convert.ToBranch", err)
 			return
 		}
+		apiBranches = append(apiBranches, apiBranch)
 	}

 	ctx.SetLinkHeader(totalNumOfBranches, listOptions.PageSize)
@@ -532,7 +533,6 @@ func CreateBranchProtection(ctx *context.APIContext) {
 	}

 	ctx.JSON(http.StatusCreated, convert.ToBranchProtection(bp))
-
 }

 // EditBranchProtection edits a branch protection for a repo
@@ -173,6 +173,7 @@ func SearchIssues(ctx *context.APIContext) {
 		opts.TeamID = team.ID
 	}

+	repoCond := models.SearchRepositoryCondition(opts)
 	repoIDs, _, err := models.SearchRepositoryIDs(opts)
 	if err != nil {
 		ctx.Error(http.StatusInternalServerError, "SearchRepositoryByName", err)
@@ -233,7 +234,7 @@ func SearchIssues(ctx *context.APIContext) {
 				Page:     ctx.FormInt("page"),
 				PageSize: limit,
 			},
-			RepoIDs:            repoIDs,
+			RepoCond:           repoCond,
 			IsClosed:           isClosed,
 			IssueIDs:           issueIDs,
 			IncludedLabelNames: includedLabelNames,
@@ -460,7 +461,7 @@ func ListIssues(ctx *context.APIContext) {
 	if len(keyword) == 0 || len(issueIDs) > 0 || len(labelIDs) > 0 {
 		issuesOpt := &models.IssuesOptions{
 			ListOptions:       listOptions,
-			RepoIDs:           []int64{ctx.Repo.Repository.ID},
+			RepoID:            ctx.Repo.Repository.ID,
 			IsClosed:          isClosed,
 			IssueIDs:          issueIDs,
 			LabelIDs:          labelIDs,
@@ -160,7 +160,7 @@ func Search(ctx *context.APIContext) {
 		opts.Collaborate = util.OptionalBoolFalse
 	}

-	var mode = ctx.FormString("mode")
+	mode := ctx.FormString("mode")
 	switch mode {
 	case "source":
 		opts.Fork = util.OptionalBoolFalse
@@ -186,9 +186,9 @@ func Search(ctx *context.APIContext) {
 		opts.IsPrivate = util.OptionalBoolOf(ctx.FormBool("is_private"))
 	}

-	var sortMode = ctx.FormString("sort")
+	sortMode := ctx.FormString("sort")
 	if len(sortMode) > 0 {
-		var sortOrder = ctx.FormString("order")
+		sortOrder := ctx.FormString("order")
 		if len(sortOrder) == 0 {
 			sortOrder = "asc"
 		}
@@ -264,7 +264,8 @@ func CreateUserRepo(ctx *context.APIContext, owner *user_model.User, opt api.Cre
 		if repo_model.IsErrRepoAlreadyExist(err) {
 			ctx.Error(http.StatusConflict, "", "The repository with the same name already exists.")
 		} else if db.IsErrNameReserved(err) ||
-			db.IsErrNamePatternNotAllowed(err) {
+			db.IsErrNamePatternNotAllowed(err) ||
+			models.IsErrIssueLabelTemplateLoad(err) {
 			ctx.Error(http.StatusUnprocessableEntity, "", err)
 		} else {
 			ctx.Error(http.StatusInternalServerError, "CreateRepository", err)
@@ -84,6 +84,8 @@ func Init(next http.Handler) http.Handler {
 				"PasswordHashAlgorithms": user_model.AvailableHashAlgorithms,
 			},
 		}
+		defer ctx.Close()
+
 		for _, lang := range translation.AllLangs() {
 			if lang.Lang == locale.Language() {
 				ctx.Data["LangName"] = lang.Name
@@ -508,13 +510,17 @@ func SubmitInstall(ctx *context.Context) {
 	// Create admin account
 	if len(form.AdminName) > 0 {
 		u := &user_model.User{
-			Name:     form.AdminName,
-			Email:    form.AdminEmail,
-			Passwd:   form.AdminPasswd,
-			IsAdmin:  true,
-			IsActive: true,
+			Name:    form.AdminName,
+			Email:   form.AdminEmail,
+			Passwd:  form.AdminPasswd,
+			IsAdmin: true,
 		}
-		if err = user_model.CreateUser(u); err != nil {
+		overwriteDefault := &user_model.CreateUserOverwriteOptions{
+			IsRestricted: util.OptionalBoolFalse,
+			IsActive:     util.OptionalBoolTrue,
+		}
+
+		if err = user_model.CreateUser(u, overwriteDefault); err != nil {
 			if !user_model.IsErrUserAlreadyExist(err) {
 				setting.InstallLock = false
 				ctx.Data["Err_AdminName"] = true
@@ -112,7 +112,7 @@ func NewAuthSource(ctx *context.Context) {
 	ctx.Data["SSPIDefaultLanguage"] = ""

 	// only the first as default
-	ctx.Data["oauth2_provider"] = oauth2providers[0].Name
+	ctx.Data["oauth2_provider"] = oauth2providers[0].Name()

 	ctx.HTML(http.StatusOK, tplAuthNew)
 }
@@ -125,10 +125,14 @@ func NewUserPost(ctx *context.Context) {
 		Name:      form.UserName,
 		Email:     form.Email,
 		Passwd:    form.Password,
-		IsActive:  true,
 		LoginType: auth.Plain,
 	}

+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive:   util.OptionalBoolTrue,
+		Visibility: &form.Visibility,
+	}
+
 	if len(form.LoginType) > 0 {
 		fields := strings.Split(form.LoginType, "-")
 		if len(fields) == 2 {
@@ -163,7 +167,7 @@ func NewUserPost(ctx *context.Context) {
 		u.MustChangePassword = form.MustChangePassword
 	}

-	if err := user_model.CreateUser(u, &user_model.CreateUserOverwriteOptions{Visibility: form.Visibility}); err != nil {
+	if err := user_model.CreateUser(u, overwriteDefault); err != nil {
 		switch {
 		case user_model.IsErrUserAlreadyExist(err):
 			ctx.Data["Err_UserName"] = true
@@ -507,14 +507,12 @@ func SignUpPost(ctx *context.Context) {
 	}

 	u := &user_model.User{
-		Name:         form.UserName,
-		Email:        form.Email,
-		Passwd:       form.Password,
-		IsActive:     !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
-		IsRestricted: setting.Service.DefaultUserIsRestricted,
+		Name:   form.UserName,
+		Email:  form.Email,
+		Passwd: form.Password,
 	}

-	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, false) {
+	if !createAndHandleCreatedUser(ctx, tplSignUp, form, u, nil, nil, false) {
 		// error already handled
 		return
 	}
@@ -525,8 +523,8 @@ func SignUpPost(ctx *context.Context) {

 // createAndHandleCreatedUser calls createUserInContext and
 // then handleUserCreated.
-func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) bool {
-	if !createUserInContext(ctx, tpl, form, u, gothUser, allowLink) {
+func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) bool {
+	if !createUserInContext(ctx, tpl, form, u, overwrites, gothUser, allowLink) {
 		return false
 	}
 	return handleUserCreated(ctx, u, gothUser)
@@ -534,8 +532,8 @@ func createAndHandleCreatedUser(ctx *context.Context, tpl base.TplName, form int

 // createUserInContext creates a user and handles errors within a given context.
 // Optionally a template can be specified.
-func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, gothUser *goth.User, allowLink bool) (ok bool) {
-	if err := user_model.CreateUser(u); err != nil {
+func createUserInContext(ctx *context.Context, tpl base.TplName, form interface{}, u *user_model.User, overwrites *user_model.CreateUserOverwriteOptions, gothUser *goth.User, allowLink bool) (ok bool) {
+	if err := user_model.CreateUser(u, overwrites); err != nil {
 		if allowLink && (user_model.IsErrUserAlreadyExist(err) || user_model.IsErrEmailAlreadyUsed(err)) {
 			if setting.OAuth2Client.AccountLinking == setting.OAuth2AccountLinkingAuto {
 				var user *user_model.User
@@ -285,13 +285,12 @@ func LinkAccountPostRegister(ctx *context.Context) {
 		Name:        form.UserName,
 		Email:       form.Email,
 		Passwd:      form.Password,
-		IsActive:    !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
 		LoginType:   auth.OAuth2,
 		LoginSource: authSource.ID,
 		LoginName:   gothUser.UserID,
 	}

-	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, &gothUser, false) {
+	if !createAndHandleCreatedUser(ctx, tplLinkAccount, form, u, nil, &gothUser, false) {
 		// error already handled
 		return
 	}
@@ -25,6 +25,7 @@ import (
 	"code.gitea.io/gitea/modules/session"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/timeutil"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/modules/web/middleware"
 	auth_service "code.gitea.io/gitea/services/auth"
@@ -872,19 +873,21 @@ func SignInOAuthCallback(ctx *context.Context) {
 				return
 			}
 			u = &user_model.User{
-				Name:         getUserName(&gothUser),
-				FullName:     gothUser.Name,
-				Email:        gothUser.Email,
-				IsActive:     !setting.OAuth2Client.RegisterEmailConfirm,
-				LoginType:    auth.OAuth2,
-				LoginSource:  authSource.ID,
-				LoginName:    gothUser.UserID,
-				IsRestricted: setting.Service.DefaultUserIsRestricted,
+				Name:        getUserName(&gothUser),
+				FullName:    gothUser.Name,
+				Email:       gothUser.Email,
+				LoginType:   auth.OAuth2,
+				LoginSource: authSource.ID,
+				LoginName:   gothUser.UserID,
+			}
+
+			overwriteDefault := &user_model.CreateUserOverwriteOptions{
+				IsActive: util.OptionalBoolOf(!setting.OAuth2Client.RegisterEmailConfirm),
 			}

 			setUserGroupClaims(authSource, u, &gothUser)

-			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
+			if !createAndHandleCreatedUser(ctx, base.TplName(""), nil, u, overwriteDefault, &gothUser, setting.OAuth2Client.AccountLinking != setting.OAuth2AccountLinkingDisabled) {
 				// error already handled
 				return
 			}
@@ -425,12 +425,11 @@ func RegisterOpenIDPost(ctx *context.Context) {
 	}

 	u := &user_model.User{
-		Name:     form.UserName,
-		Email:    form.Email,
-		Passwd:   password,
-		IsActive: !(setting.Service.RegisterEmailConfirm || setting.Service.RegisterManualConfirm),
+		Name:   form.UserName,
+		Email:  form.Email,
+		Passwd: password,
 	}
-	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, false) {
+	if !createUserInContext(ctx, tplSignUpOID, form, u, nil, nil, false) {
 		// error already handled
 		return
 	}
@@ -34,6 +34,9 @@ func RetrieveFeeds(ctx *context.Context, options models.GetFeedsOptions) []*mode
 	}

 	for _, act := range actions {
+		if act.Repo == nil {
+			continue
+		}
 		repoOwner, ok := userCache[act.Repo.OwnerID]
 		if !ok {
 			repoOwner, err = user_model.GetUserByID(act.Repo.OwnerID)
@@ -226,7 +226,7 @@ func issues(ctx *context.Context, milestoneID, projectID int64, isPullOption uti
 				Page:     pager.Paginater.Current(),
 				PageSize: setting.UI.IssuePagingNum,
 			},
-			RepoIDs:           []int64{repo.ID},
+			RepoID:            repo.ID,
 			AssigneeID:        assigneeID,
 			PosterID:          posterID,
 			MentionedID:       mentionedID,
@@ -279,7 +279,9 @@ func NewRelease(ctx *context.Context) {
 			}

 			ctx.Data["tag_name"] = rel.TagName
-			ctx.Data["tag_target"] = rel.Target
+			if rel.Target != "" {
+				ctx.Data["tag_target"] = rel.Target
+			}
 			ctx.Data["title"] = rel.Title
 			ctx.Data["content"] = rel.Note
 			ctx.Data["attachments"] = rel.Attachments
@@ -191,7 +191,10 @@ func renderViewPage(ctx *context.Context) (*git.Repository, *git.TreeEntry) {
 	ctx.Data["title"] = pageName
 	ctx.Data["RequireHighlightJS"] = true

-	//lookup filename in wiki - get filecontent, gitTree entry , real filename
+	isSideBar := pageName == "_Sidebar"
+	isFooter := pageName == "_Footer"
+
+	// lookup filename in wiki - get filecontent, gitTree entry , real filename
 	data, entry, pageFilename, noEntry := wikiContentsByName(ctx, commit, pageName)
 	if noEntry {
 		ctx.Redirect(ctx.Repo.RepoLink + "/wiki/?action=_pages")
@@ -203,23 +206,33 @@ func renderViewPage(ctx *context.Context) (*git.Repository, *git.TreeEntry) {
 		return nil, nil
 	}

-	sidebarContent, _, _, _ := wikiContentsByName(ctx, commit, "_Sidebar")
-	if ctx.Written() {
-		if wikiRepo != nil {
-			wikiRepo.Close()
+	var sidebarContent []byte
+	if !isSideBar {
+		sidebarContent, _, _, _ = wikiContentsByName(ctx, commit, "_Sidebar")
+		if ctx.Written() {
+			if wikiRepo != nil {
+				wikiRepo.Close()
+			}
+			return nil, nil
 		}
-		return nil, nil
+	} else {
+		sidebarContent = data
 	}

-	footerContent, _, _, _ := wikiContentsByName(ctx, commit, "_Footer")
-	if ctx.Written() {
-		if wikiRepo != nil {
-			wikiRepo.Close()
+	var footerContent []byte
+	if !isFooter {
+		footerContent, _, _, _ = wikiContentsByName(ctx, commit, "_Footer")
+		if ctx.Written() {
+			if wikiRepo != nil {
+				wikiRepo.Close()
+			}
+			return nil, nil
 		}
-		return nil, nil
+	} else {
+		footerContent = data
 	}

-	var rctx = &markup.RenderContext{
+	rctx := &markup.RenderContext{
 		URLPrefix: ctx.Repo.RepoLink,
 		Metas:     ctx.Repo.Repository.ComposeDocumentMetas(),
 		IsWiki:    true,
@@ -236,27 +249,35 @@ func renderViewPage(ctx *context.Context) (*git.Repository, *git.TreeEntry) {

 	ctx.Data["EscapeStatus"], ctx.Data["content"] = charset.EscapeControlString(buf.String())

-	buf.Reset()
-	if err := markdown.Render(rctx, bytes.NewReader(sidebarContent), &buf); err != nil {
-		if wikiRepo != nil {
-			wikiRepo.Close()
+	if !isSideBar {
+		buf.Reset()
+		if err := markdown.Render(rctx, bytes.NewReader(sidebarContent), &buf); err != nil {
+			if wikiRepo != nil {
+				wikiRepo.Close()
+			}
+			ctx.ServerError("Render", err)
+			return nil, nil
 		}
-		ctx.ServerError("Render", err)
-		return nil, nil
+		ctx.Data["sidebarPresent"] = sidebarContent != nil
+		ctx.Data["sidebarEscapeStatus"], ctx.Data["sidebarContent"] = charset.EscapeControlString(buf.String())
+	} else {
+		ctx.Data["sidebarPresent"] = false
 	}
-	ctx.Data["sidebarPresent"] = sidebarContent != nil
-	ctx.Data["sidebarEscapeStatus"], ctx.Data["sidebarContent"] = charset.EscapeControlString(buf.String())

-	buf.Reset()
-	if err := markdown.Render(rctx, bytes.NewReader(footerContent), &buf); err != nil {
-		if wikiRepo != nil {
-			wikiRepo.Close()
+	if !isFooter {
+		buf.Reset()
+		if err := markdown.Render(rctx, bytes.NewReader(footerContent), &buf); err != nil {
+			if wikiRepo != nil {
+				wikiRepo.Close()
+			}
+			ctx.ServerError("Render", err)
+			return nil, nil
 		}
-		ctx.ServerError("Render", err)
-		return nil, nil
+		ctx.Data["footerPresent"] = footerContent != nil
+		ctx.Data["footerEscapeStatus"], ctx.Data["footerContent"] = charset.EscapeControlString(buf.String())
+	} else {
+		ctx.Data["footerPresent"] = false
 	}
-	ctx.Data["footerPresent"] = footerContent != nil
-	ctx.Data["footerEscapeStatus"], ctx.Data["footerContent"] = charset.EscapeControlString(buf.String())

 	// get commit count - wiki revisions
 	commitsCount, _ := wikiRepo.FileCommitsCount("master", pageFilename)
@@ -290,7 +311,7 @@ func renderRevisionPage(ctx *context.Context) (*git.Repository, *git.TreeEntry)
 	ctx.Data["Username"] = ctx.Repo.Owner.Name
 	ctx.Data["Reponame"] = ctx.Repo.Repository.Name

-	//lookup filename in wiki - get filecontent, gitTree entry , real filename
+	// lookup filename in wiki - get filecontent, gitTree entry , real filename
 	data, entry, pageFilename, noEntry := wikiContentsByName(ctx, commit, pageName)
 	if noEntry {
 		ctx.Redirect(ctx.Repo.RepoLink + "/wiki/?action=_pages")
@@ -364,7 +385,7 @@ func renderEditPage(ctx *context.Context) {
 	ctx.Data["title"] = pageName
 	ctx.Data["RequireHighlightJS"] = true

-	//lookup filename in wiki - get filecontent, gitTree entry , real filename
+	// lookup filename in wiki - get filecontent, gitTree entry , real filename
 	data, entry, _, noEntry := wikiContentsByName(ctx, commit, pageName)
 	if noEntry {
 		ctx.Redirect(ctx.Repo.RepoLink + "/wiki/?action=_pages")
@@ -442,12 +442,13 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		AllLimited: false,
 	}

-	if ctxUser.IsOrganization() && ctx.Org.Team != nil {
-		repoOpts.TeamID = ctx.Org.Team.ID
+	if team != nil {
+		repoOpts.TeamID = team.ID
 	}

 	switch filterMode {
 	case models.FilterModeAll:
+	case models.FilterModeYourRepositories:
 	case models.FilterModeAssign:
 		opts.AssigneeID = ctx.User.ID
 	case models.FilterModeCreate:
@@ -456,19 +457,6 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 		opts.MentionedID = ctx.User.ID
 	case models.FilterModeReviewRequested:
 		opts.ReviewRequestedID = ctx.User.ID
-	case models.FilterModeYourRepositories:
-		if ctxUser.IsOrganization() && ctx.Org.Team != nil {
-			// Fixes a issue whereby the user's ID would be used
-			// to check if it's in the team(which possible isn't the case).
-			opts.User = nil
-		}
-		userRepoIDs, _, err := models.SearchRepositoryIDs(repoOpts)
-		if err != nil {
-			ctx.ServerError("models.SearchRepositoryIDs: %v", err)
-			return
-		}
-
-		opts.RepoIDs = userRepoIDs
 	}

 	// keyword holds the search term entered into the search field.
@@ -532,7 +520,7 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 	// Gets set when clicking filters on the issues overview page.
 	repoIDs := getRepoIDs(ctx.FormString("repos"))
 	if len(repoIDs) > 0 {
-		opts.RepoIDs = repoIDs
+		opts.RepoCond = builder.In("issue.repo_id", repoIDs)
 	}

 	// ------------------------------
@@ -600,13 +588,6 @@ func buildIssueOverview(ctx *context.Context, unitType unit.Type) {
 			Org:        org,
 			Team:       team,
 		}
-		if filterMode == models.FilterModeYourRepositories {
-			statsOpts.RepoCond = models.SearchRepositoryCondition(repoOpts)
-		}
-		// Detect when we only should search by team.
-		if opts.User == nil {
-			statsOpts.UserID = 0
-		}
 		issueStats, err = models.GetUserIssueStats(statsOpts)
 		if err != nil {
 			ctx.ServerError("GetUserIssueStats Shown", err)
@@ -12,6 +12,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/mailer"

@@ -106,11 +107,15 @@ func (r *ReverseProxy) newUser(req *http.Request) *user_model.User {
 	}

 	user := &user_model.User{
-		Name:     username,
-		Email:    email,
-		IsActive: true,
+		Name:  username,
+		Email: email,
 	}
-	if err := user_model.CreateUser(user); err != nil {
+
+	overwriteDefault := user_model.CreateUserOverwriteOptions{
+		IsActive: util.OptionalBoolTrue,
+	}
+
+	if err := user_model.CreateUser(user, &overwriteDefault); err != nil {
 		// FIXME: should I create a system notice?
 		log.Error("CreateUser: %v", err)
 		return nil
@@ -12,6 +12,7 @@ import (
 	"code.gitea.io/gitea/models/auth"
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/mailer"
 	user_service "code.gitea.io/gitea/services/user"
 )
@@ -80,19 +81,21 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 	}

 	user = &user_model.User{
-		LowerName:    strings.ToLower(sr.Username),
-		Name:         sr.Username,
-		FullName:     composeFullName(sr.Name, sr.Surname, sr.Username),
-		Email:        sr.Mail,
-		LoginType:    source.authSource.Type,
-		LoginSource:  source.authSource.ID,
-		LoginName:    userName,
-		IsActive:     true,
-		IsAdmin:      sr.IsAdmin,
-		IsRestricted: sr.IsRestricted,
+		LowerName:   strings.ToLower(sr.Username),
+		Name:        sr.Username,
+		FullName:    composeFullName(sr.Name, sr.Surname, sr.Username),
+		Email:       sr.Mail,
+		LoginType:   source.authSource.Type,
+		LoginSource: source.authSource.ID,
+		LoginName:   userName,
+		IsAdmin:     sr.IsAdmin,
+	}
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsRestricted: util.OptionalBoolOf(sr.IsRestricted),
+		IsActive:     util.OptionalBoolTrue,
 	}

-	err := user_model.CreateUser(user)
+	err := user_model.CreateUser(user, overwriteDefault)
 	if err != nil {
 		return user, err
 	}
@@ -14,6 +14,7 @@ import (
 	"code.gitea.io/gitea/models/db"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/util"
 	user_service "code.gitea.io/gitea/services/user"
 )

@@ -99,19 +100,21 @@ func (source *Source) Sync(ctx context.Context, updateExisting bool) error {
 			log.Trace("SyncExternalUsers[%s]: Creating user %s", source.authSource.Name, su.Username)

 			usr = &user_model.User{
-				LowerName:    su.LowerName,
-				Name:         su.Username,
-				FullName:     fullName,
-				LoginType:    source.authSource.Type,
-				LoginSource:  source.authSource.ID,
-				LoginName:    su.Username,
-				Email:        su.Mail,
-				IsAdmin:      su.IsAdmin,
-				IsRestricted: su.IsRestricted,
-				IsActive:     true,
+				LowerName:   su.LowerName,
+				Name:        su.Username,
+				FullName:    fullName,
+				LoginType:   source.authSource.Type,
+				LoginSource: source.authSource.ID,
+				LoginName:   su.Username,
+				Email:       su.Mail,
+				IsAdmin:     su.IsAdmin,
+			}
+			overwriteDefault := &user_model.CreateUserOverwriteOptions{
+				IsRestricted: util.OptionalBoolOf(su.IsRestricted),
+				IsActive:     util.OptionalBoolTrue,
 			}

-			err = user_model.CreateUser(usr)
+			err = user_model.CreateUser(usr, overwriteDefault)

 			if err != nil {
 				log.Error("SyncExternalUsers[%s]: Error creating user %s: %v", source.authSource.Name, su.Username, err)
@@ -12,6 +12,7 @@ import (
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/auth/pam"
 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/services/mailer"

 	"github.com/google/uuid"
@@ -58,10 +59,12 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 		LoginType:   auth.PAM,
 		LoginSource: source.authSource.ID,
 		LoginName:   userName, // This is what the user typed in
-		IsActive:    true,
+	}
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive: util.OptionalBoolTrue,
 	}

-	if err := user_model.CreateUser(user); err != nil {
+	if err := user_model.CreateUser(user, overwriteDefault); err != nil {
 		return user, err
 	}

@@ -74,10 +74,12 @@ func (source *Source) Authenticate(user *user_model.User, userName, password str
 		LoginType:   auth_model.SMTP,
 		LoginSource: source.authSource.ID,
 		LoginName:   userName,
-		IsActive:    true,
+	}
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive: util.OptionalBoolTrue,
 	}

-	if err := user_model.CreateUser(user); err != nil {
+	if err := user_model.CreateUser(user, overwriteDefault); err != nil {
 		return user, err
 	}

@@ -16,6 +16,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth/source/sspi"
 	"code.gitea.io/gitea/services/mailer"
@@ -187,17 +188,20 @@ func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
 func (s *SSPI) newUser(username string, cfg *sspi.Source) (*user_model.User, error) {
 	email := gouuid.New().String() + "@localhost.localdomain"
 	user := &user_model.User{
-		Name:                         username,
-		Email:                        email,
-		KeepEmailPrivate:             true,
-		Passwd:                       gouuid.New().String(),
-		IsActive:                     cfg.AutoActivateUsers,
-		Language:                     cfg.DefaultLanguage,
-		UseCustomAvatar:              true,
-		Avatar:                       avatars.DefaultAvatarLink(),
-		EmailNotificationsPreference: user_model.EmailNotificationsDisabled,
+		Name:            username,
+		Email:           email,
+		Passwd:          gouuid.New().String(),
+		Language:        cfg.DefaultLanguage,
+		UseCustomAvatar: true,
+		Avatar:          avatars.DefaultAvatarLink(),
 	}
-	if err := user_model.CreateUser(user); err != nil {
+	emailNotificationPreference := user_model.EmailNotificationsDisabled
+	overwriteDefault := &user_model.CreateUserOverwriteOptions{
+		IsActive:                     util.OptionalBoolOf(cfg.AutoActivateUsers),
+		KeepEmailPrivate:             util.OptionalBoolTrue,
+		EmailNotificationsPreference: &emailNotificationPreference,
+	}
+	if err := user_model.CreateUser(user, overwriteDefault); err != nil {
 		return nil, err
 	}

@@ -7,6 +7,7 @@ package migrations

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -33,9 +34,7 @@ import (
 	gouuid "github.com/google/uuid"
 )

-var (
-	_ base.Uploader = &GiteaLocalUploader{}
-)
+var _ base.Uploader = &GiteaLocalUploader{}

 // GiteaLocalUploader implements an Uploader to gitea sites
 type GiteaLocalUploader struct {
@@ -159,7 +158,7 @@ func (g *GiteaLocalUploader) CreateTopics(topics ...string) error {

 // CreateMilestones creates milestones
 func (g *GiteaLocalUploader) CreateMilestones(milestones ...*base.Milestone) error {
-	var mss = make([]*models.Milestone, 0, len(milestones))
+	mss := make([]*models.Milestone, 0, len(milestones))
 	for _, milestone := range milestones {
 		var deadline timeutil.TimeStamp
 		if milestone.Deadline != nil {
@@ -182,7 +181,7 @@ func (g *GiteaLocalUploader) CreateMilestones(milestones ...*base.Milestone) err
 			milestone.Updated = &milestone.Created
 		}

-		var ms = models.Milestone{
+		ms := models.Milestone{
 			RepoID:       g.repo.ID,
 			Name:         milestone.Title,
 			Content:      milestone.Description,
@@ -210,7 +209,7 @@ func (g *GiteaLocalUploader) CreateMilestones(milestones ...*base.Milestone) err

 // CreateLabels creates labels
 func (g *GiteaLocalUploader) CreateLabels(labels ...*base.Label) error {
-	var lbs = make([]*models.Label, 0, len(labels))
+	lbs := make([]*models.Label, 0, len(labels))
 	for _, label := range labels {
 		lbs = append(lbs, &models.Label{
 			RepoID:      g.repo.ID,
@@ -232,7 +231,7 @@ func (g *GiteaLocalUploader) CreateLabels(labels ...*base.Label) error {

 // CreateReleases creates releases
 func (g *GiteaLocalUploader) CreateReleases(releases ...*base.Release) error {
-	var rels = make([]*models.Release, 0, len(releases))
+	rels := make([]*models.Release, 0, len(releases))
 	for _, release := range releases {
 		if release.Created.IsZero() {
 			if !release.Published.IsZero() {
@@ -242,13 +241,12 @@ func (g *GiteaLocalUploader) CreateReleases(releases ...*base.Release) error {
 			}
 		}

-		var rel = models.Release{
+		rel := models.Release{
 			RepoID:       g.repo.ID,
 			TagName:      release.TagName,
 			LowerTagName: strings.ToLower(release.TagName),
 			Target:       release.TargetCommitish,
 			Title:        release.Name,
-			Sha1:         release.TargetCommitish,
 			Note:         release.Body,
 			IsDraft:      release.Draft,
 			IsPrerelease: release.Prerelease,
@@ -277,15 +275,18 @@ func (g *GiteaLocalUploader) CreateReleases(releases ...*base.Release) error {
 			rel.OriginalAuthorID = release.PublisherID
 		}

-		// calc NumCommits if no draft
-		if !release.Draft {
+		// calc NumCommits if possible
+		if rel.TagName != "" {
 			commit, err := g.gitRepo.GetTagCommit(rel.TagName)
-			if err != nil {
-				return fmt.Errorf("GetTagCommit[%v]: %v", rel.TagName, err)
-			}
-			rel.NumCommits, err = commit.CommitsCount()
-			if err != nil {
-				return fmt.Errorf("CommitsCount: %v", err)
+			if !errors.Is(err, git.ErrNotExist{}) {
+				if err != nil {
+					return fmt.Errorf("GetTagCommit[%v]: %v", rel.TagName, err)
+				}
+				rel.Sha1 = commit.ID.String()
+				rel.NumCommits, err = commit.CommitsCount()
+				if err != nil {
+					return fmt.Errorf("CommitsCount: %v", err)
+				}
 			}
 		}

@@ -297,7 +298,7 @@ func (g *GiteaLocalUploader) CreateReleases(releases ...*base.Release) error {
 					asset.Created = release.Created
 				}
 			}
-			var attach = repo_model.Attachment{
+			attach := repo_model.Attachment{
 				UUID:          gouuid.New().String(),
 				Name:          asset.Name,
 				DownloadCount: int64(*asset.DownloadCount),
@@ -348,7 +349,7 @@ func (g *GiteaLocalUploader) SyncTags() error {

 // CreateIssues creates issues
 func (g *GiteaLocalUploader) CreateIssues(issues ...*base.Issue) error {
-	var iss = make([]*models.Issue, 0, len(issues))
+	iss := make([]*models.Issue, 0, len(issues))
 	for _, issue := range issues {
 		var labels []*models.Label
 		for _, label := range issue.Labels {
@@ -381,7 +382,7 @@ func (g *GiteaLocalUploader) CreateIssues(issues ...*base.Issue) error {
 			}
 		}

-		var is = models.Issue{
+		is := models.Issue{
 			RepoID:      g.repo.ID,
 			Repo:        g.repo,
 			Index:       issue.Number,
@@ -433,7 +434,7 @@ func (g *GiteaLocalUploader) CreateIssues(issues ...*base.Issue) error {
 					g.userMap[reaction.UserID] = userid
 				}
 			}
-			var res = models.Reaction{
+			res := models.Reaction{
 				Type:        reaction.Content,
 				CreatedUnix: timeutil.TimeStampNow(),
 			}
@@ -464,7 +465,7 @@ func (g *GiteaLocalUploader) CreateIssues(issues ...*base.Issue) error {

 // CreateComments creates comments of issues
 func (g *GiteaLocalUploader) CreateComments(comments ...*base.Comment) error {
-	var cms = make([]*models.Comment, 0, len(comments))
+	cms := make([]*models.Comment, 0, len(comments))
 	for _, comment := range comments {
 		var issue *models.Issue
 		issueInter, ok := g.issues.Load(comment.IssueIndex)
@@ -528,7 +529,7 @@ func (g *GiteaLocalUploader) CreateComments(comments ...*base.Comment) error {
 					g.userMap[reaction.UserID] = userid
 				}
 			}
-			var res = models.Reaction{
+			res := models.Reaction{
 				Type:        reaction.Content,
 				CreatedUnix: timeutil.TimeStampNow(),
 			}
@@ -553,7 +554,7 @@ func (g *GiteaLocalUploader) CreateComments(comments ...*base.Comment) error {

 // CreatePullRequests creates pull requests
 func (g *GiteaLocalUploader) CreatePullRequests(prs ...*base.PullRequest) error {
-	var gprs = make([]*models.PullRequest, 0, len(prs))
+	gprs := make([]*models.PullRequest, 0, len(prs))
 	for _, pr := range prs {
 		gpr, err := g.newPullRequest(pr)
 		if err != nil {
@@ -652,7 +653,7 @@ func (g *GiteaLocalUploader) newPullRequest(pr *base.PullRequest) (*models.PullR
 		return nil, err
 	}

-	var head = "unknown repository"
+	head := "unknown repository"
 	if pr.IsForkPullRequest() && pr.State != "closed" {
 		if pr.Head.OwnerName != "" {
 			remote := pr.Head.OwnerName
@@ -669,7 +670,7 @@ func (g *GiteaLocalUploader) newPullRequest(pr *base.PullRequest) (*models.PullR
 			}

 			if ok {
-				_, err = git.NewCommand("fetch", remote, pr.Head.Ref).RunInDir(g.repo.RepoPath())
+				_, err = git.NewCommandContext(g.ctx, "fetch", "--no-tags", "--", remote, pr.Head.Ref).RunInDir(g.repo.RepoPath())
 				if err != nil {
 					log.Error("Fetch branch from %s failed: %v", pr.Head.CloneURL, err)
 				} else {
@@ -723,7 +724,7 @@ func (g *GiteaLocalUploader) newPullRequest(pr *base.PullRequest) (*models.PullR
 		pr.Updated = pr.Created
 	}

-	var issue = models.Issue{
+	issue := models.Issue{
 		RepoID:      g.repo.ID,
 		Repo:        g.repo,
 		Title:       pr.Title,
@@ -773,7 +774,7 @@ func (g *GiteaLocalUploader) newPullRequest(pr *base.PullRequest) (*models.PullR
 				g.userMap[reaction.UserID] = userid
 			}
 		}
-		var res = models.Reaction{
+		res := models.Reaction{
 			Type:        reaction.Content,
 			CreatedUnix: timeutil.TimeStampNow(),
 		}
@@ -787,7 +788,7 @@ func (g *GiteaLocalUploader) newPullRequest(pr *base.PullRequest) (*models.PullR
 		issue.Reactions = append(issue.Reactions, &res)
 	}

-	var pullRequest = models.PullRequest{
+	pullRequest := models.PullRequest{
 		HeadRepoID: g.repo.ID,
 		HeadBranch: head,
 		BaseRepoID: g.repo.ID,
@@ -830,7 +831,7 @@ func convertReviewState(state string) models.ReviewType {

 // CreateReviews create pull request reviews
 func (g *GiteaLocalUploader) CreateReviews(reviews ...*base.Review) error {
-	var cms = make([]*models.Review, 0, len(reviews))
+	cms := make([]*models.Review, 0, len(reviews))
 	for _, review := range reviews {
 		var issue *models.Issue
 		issueInter, ok := g.issues.Load(review.IssueIndex)
@@ -862,7 +863,7 @@ func (g *GiteaLocalUploader) CreateReviews(reviews ...*base.Review) error {
 			review.CreatedAt = time.Unix(int64(issue.CreatedUnix), 0)
 		}

-		var cm = models.Review{
+		cm := models.Review{
 			Type:        convertReviewState(review.State),
 			IssueID:     issue.ID,
 			Content:     review.Content,
@@ -926,7 +927,7 @@ func (g *GiteaLocalUploader) CreateReviews(reviews ...*base.Review) error {
 				comment.UpdatedAt = comment.CreatedAt
 			}

-			var c = models.Comment{
+			c := models.Comment{
 				Type:        models.CommentTypeCode,
 				PosterID:    comment.PosterID,
 				IssueID:     issue.ID,
@@ -97,7 +97,7 @@ func TestGiteaUploadRepo(t *testing.T) {
 	assert.Len(t, releases, 1)

 	issues, err := models.Issues(&models.IssuesOptions{
-		RepoIDs:  []int64{repo.ID},
+		RepoID:   repo.ID,
 		IsPull:   util.OptionalBoolFalse,
 		SortType: "oldest",
 	})
@@ -81,10 +81,9 @@ func IsMigrateURLAllowed(remoteURL string, doer *user_model.User) error {
 		err = nil //nolint
 		hostName = u.Host
 	}
-	addrList, err := net.LookupIP(hostName)
-	if err != nil {
-		return &models.ErrInvalidCloneAddr{Host: u.Host, NotResolvedIP: true}
-	}
+
+	// some users only use proxy, there is no DNS resolver. it's safe to ignore the LookupIP error
+	addrList, _ := net.LookupIP(hostName)

 	var ipAllowed bool
 	var ipBlocked bool
@@ -32,8 +32,8 @@ import (
 var prQueue queue.UniqueQueue

 var (
-	ErrIsClosed              = errors.New("pull is cosed")
-	ErrUserNotAllowedToMerge = errors.New("user not allowed to merge")
+	ErrIsClosed              = errors.New("pull is closed")
+	ErrUserNotAllowedToMerge = models.ErrNotAllowedToMerge{}
 	ErrHasMerged             = errors.New("has already been merged")
 	ErrIsWorkInProgress      = errors.New("work in progress PRs cannot be merged")
 	ErrIsChecking            = errors.New("cannot merge while conflict checking is in progress")
@@ -96,10 +96,10 @@ func CheckPullMergable(ctx context.Context, doer *user_model.User, perm *models.
 	if err := CheckPRReadyToMerge(pr, false); err != nil {
 		if models.IsErrNotAllowedToMerge(err) {
 			if force {
-				if isRepoAdmin, err := models.IsUserRepoAdmin(pr.BaseRepo, doer); err != nil {
-					return err
+				if isRepoAdmin, err2 := models.IsUserRepoAdmin(pr.BaseRepo, doer); err2 != nil {
+					return err2
 				} else if !isRepoAdmin {
-					return ErrUserNotAllowedToMerge
+					return err
 				}
 			}
 		} else {
@@ -431,14 +431,16 @@ func checkConflicts(pr *models.PullRequest, gitRepo *git.Repository, tmpBasePath
 				return nil
 			})

-	// 8. If there is a conflict the `git apply` command will return a non-zero error code - so there will be a positive error.
-	if err != nil {
+	// 9. Check if the found conflictedfiles is non-zero, "err" could be non-nil, so we should ignore it if we found conflicts.
+	// Note: `"err" could be non-nil` is due that if enable 3-way merge, it doesn't return any error on found conflicts.
+	if len(pr.ConflictedFiles) > 0 {
 		if conflict {
 			pr.Status = models.PullRequestStatusConflict
 			log.Trace("Found %d files conflicted: %v", len(pr.ConflictedFiles), pr.ConflictedFiles)

 			return true, nil
 		}
+	} else if err != nil {
 		return false, fmt.Errorf("git apply --check: %v", err)
 	}
 	return false, nil
@@ -169,7 +169,7 @@ func doArchive(r *ArchiveRequest) (*repo_model.RepoArchiver, error) {
 		w.Close()
 		rd.Close()
 	}()
-	var done = make(chan error)
+	done := make(chan error, 1) // Ensure that there is some capacity which will ensure that the goroutine below can always finish
 	repo, err := repo_model.GetRepositoryByID(archiver.RepoID)
 	if err != nil {
 		return nil, fmt.Errorf("archiver.LoadRepo failed: %v", err)
@@ -35,7 +35,7 @@ func CreateNewBranch(doer *user_model.User, repo *repo_model.Repository, oldBran

 	if err := git.Push(git.DefaultContext, repo.RepoPath(), git.PushOptions{
 		Remote: repo.RepoPath(),
-		Branch: fmt.Sprintf("%s:%s%s", oldBranchName, git.BranchPrefix, branchName),
+		Branch: fmt.Sprintf("%s%s:%s%s", git.BranchPrefix, oldBranchName, git.BranchPrefix, branchName),
 		Env:    models.PushingEnvironment(doer, repo),
 	}); err != nil {
 		if git.IsErrPushOutOfDate(err) || git.IsErrPushRejected(err) {
@@ -14091,6 +14091,10 @@
          "type": "string",
          "x-go-name": "Password"
        },
+        "restricted": {
+          "type": "boolean",
+          "x-go-name": "Restricted"
+        },
        "send_notify": {
          "type": "boolean",
          "x-go-name": "SendNotify"
@@ -61,7 +61,7 @@
 							<a class="{{if not $.Team}}active selected{{end}} item" title="{{.i18n.Tr "all"}}" href="{{$.Org.OrganisationLink}}/{{if $.PageIsIssues}}issues{{else if $.PageIsPulls}}pulls{{else if $.PageIsMilestonesDashboard}}milestones{{else}}dashboard{{end}}">
 								{{.i18n.Tr "all"}}
 							</a>
-							{{range .OrgTeams}}
+							{{range .Teams}}
 								{{if not .IncludesAllRepositories}}
 									<a class="{{if $.Team}}{{if eq $.Team.ID .ID}}active selected{{end}}{{end}} item" title="{{.Name}}" href="{{$.Org.OrganisationLink}}/{{if $.PageIsIssues}}issues{{else if $.PageIsPulls}}pulls{{else if $.PageIsMilestonesDashboard}}milestones{{else}}dashboard{{end}}/{{.Name}}">
 										{{.Name}}
@@ -15,10 +15,6 @@ function selectRange($list, $select, $from) {
  const $issue = $('a.ref-in-new-issue');
  const $copyPermalink = $('a.copy-line-permalink');

-  if ($copyPermalink.length === 0) {
-    return;
-  }
-
  const updateIssueHref = function (anchor) {
    if ($issue.length === 0) {
      return;
@@ -29,6 +25,9 @@ function selectRange($list, $select, $from) {
  };

  const updateCopyPermalinkHref = function(anchor) {
+    if ($copyPermalink.length === 0) {
+      return;
+    }
    let link = $copyPermalink.attr('data-clipboard-text');
    link = `${link.replace(/#L\d+$|#L\d+-L\d+$/, '')}#${anchor}`;
    $copyPermalink.attr('data-clipboard-text', link);
@@ -52,7 +52,7 @@
 .chroma .ch { color: #6a737d; } /* CommentHashbang */
 .chroma .cm { color: #6a737d; } /* CommentMultiline */
 .chroma .c1 { color: #6a737d; } /* CommentSingle */
-.chroma .cs { color: #637d; } /* CommentSpecial */
+.chroma .cs { color: #95ad; } /* CommentSpecial */
 .chroma .cp { color: #fc6; } /* CommentPreproc */
 .chroma .cpf { color: #03dfff; } /* CommentPreprocFile */
 .chroma .gd { color: #fff; background-color: #5f3737; } /* GenericDeleted */
Author	SHA1	Message	Date
Lunny Xiao	09b76295f1	Add changelog for v1.16.8 (#19724 ) * Add changelog for v1.16.8 Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gusted <williamzijl7@hotmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2022-05-16 19:27:23 +02:00
Gusted	38acce2f3f	Fix issue overview for teams (#19652 ) (#19653 ) - Backport #19652 - Don't use hacky solution to limit to the correct RepoID's, instead use current code to handle these limits. The existing code is more correct than the hacky solution. - Resolves #19636	2022-05-16 17:48:16 +08:00
6543	8f44d00f22	Delete user related oauth stuff on user deletion too (#19677 ) (#19680 ) Backport (#19677) * delete user related oauth stuff on user deletion too * extend doctor check-db-consistency * make it build for v1.16.x	2022-05-12 13:32:48 +02:00
Lunny Xiao	4386eb751f	Fix oauth setting list bug (#19681 )	2022-05-11 21:05:58 +08:00
Lunny Xiao	d6aab069ed	Fix new release from tags list UI (#19670 ) (#19673 )	2022-05-10 22:55:28 +02:00
singuliere	f4fb8dbc87	[doctor] Add check/fix for bogus action rows (#19656 ) (#19669 ) Co-authored-by: Loïc Dachary <loic@dachary.org> Conflicts: models/consistency_test.go trivial context conflict.	2022-05-10 16:05:34 +03:00
Lunny Xiao	c7c18e0eb2	Revert "Add finalizers to ensure that repos are closed and blobreaders are closed (#19495 ) (#19496 )" (#19659 ) This reverts commit `88da50674f`. because it caused a memleak	2022-05-09 13:03:44 +02:00
singuliere	0a2d618d85	GetFeeds must always discard actions with dangling repo_id (#19598 ) (#19629 ) Co-authored-by: Loïc Dachary <loic@dachary.org> (cherry picked from commit `b536b65189`) Conflicts: models/action_test.go The GetFeeds function does not have a Context argument in 1.16. models/action.go The SQL statement is essentially the same in 1.16 but structured differently. The Join() was copied and the created_unix field prefixed with `action`. models/action_list.go in 1.16 the loadRepoOwner method did not exist and it was done in the RetrieveFeeds method of web/feed/profile.go. The safeguard to skip when act.Repo == nil was moved there.	2022-05-08 15:05:40 +02:00
Jimmy Praet	c8a83ace59	Only show accessible teams in dashboard dropdown list (#19642 ) (#19645 ) Fixes #19637	2022-05-07 17:50:34 +02:00
techknowlogick	59d132f0b3	Set safe dir for git operations in .drone.yml CI (#19641 ) (#19643 ) Our drone by necessity runs on git repositories not owned by the drone process. Unfortunately this means that git operations and thence CI builds will fail without the `safe.directory` option being set. See: https://drone.gitea.io/go-gitea/gitea/54632/2/8	2022-05-06 14:09:54 -04:00
zeripath	18dd49a4ab	Prevent NPE when checking repo units if the user is nil (#19625 ) (#19630 ) Backport #19625 CheckRepoUnitUser should tolerate nil users. Fix #19613 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>	2022-05-06 18:01:08 +08:00
wxiaoguang	46637b1164	Call MultipartForm.RemoveAll when request finishes (#19606 ) (#19607 )	2022-05-05 16:13:59 +02:00
Eekle	7b18c67ac9	Make .cs highlighting legible on dark themes (#19604 ) (#19605 )	2022-05-04 18:45:00 +08:00
99rgosse	6eb3c05cb7	Avoid MoreThanOne Error (#19557 ) (#19591 ) Backport #19557	2022-05-03 20:36:58 +08:00
Gusted	82f24bedc2	Fix sending empty notifications (#19589 ) (#19590 ) - Backport #19589 - Don't send empty notifications on read notifications API.	2022-05-02 21:28:12 -05:00
zeripath	88da50674f	Add finalizers to ensure that repos are closed and blobreaders are closed (#19495 ) (#19496 ) It may be prudent to add runtime finalizers to the git.Repository and git.blobReader objects to absolutely ensure that these are both properly cancelled, cleaned and closed out. This commit is a backport of an extract from #19448 Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-05-02 20:44:45 +08:00
wxiaoguang	35a7db49b4	ignore DNS error when doing migration allow/block check (#19567 ) Co-authored-by: Lauris BH <lauris@nix.lv>	2022-05-02 08:11:45 +03:00
6543	f4729e2418	Add Changelog v1.16.7 (#19575 ) Co-authored-by: techknowlogick <matti@mdranta.net> Co-authored-by: Gusted <williamzijl7@hotmail.com>	2022-05-02 05:41:09 +02:00
6543	f7330fd027	Dont overwrite err with nil (part #19572 ) (#19574 ) * Dont overwrite err with nil (part #19572) Co-authored-by: Gusted <williamzijl7@hotmail.com>	2022-05-02 01:54:20 +02:00
6543	755d8e21ad	Migration: only write commit-graph if wiki clone was successfull (#19563 ) (#19568 )	2022-05-01 00:22:42 +02:00
Jimmy Praet	7c0bf06d96	Respect DefaultUserIsRestricted system default when creating new user (#19310 ) (#19560 )	2022-04-30 15:00:14 +02:00
Gusted	0d196e29e8	Don't error when branch's commit doesn't exist (#19547 ) (#19548 ) - Backport #19547 - If one of the branches no longer exists, don't throw an error, it's possible that the branch was destroyed during the process. Simply skip it and disregard it. - Resolves #19541	2022-04-29 12:25:19 +02:00
wxiaoguang	b86606fa38	Support `hostname:port` to pass host matcher's check (#19543 ) (#19544 ) Backport #19543 hostmatcher: split the hostname from the hostname:port string, use the correct hostname to do the match.	2022-04-29 01:41:58 +08:00
zeripath	74602bb487	Prevent intermittent race in attribute reader close (#19537 ) (#19539 ) Backport #19537 There is a potential rare race possible whereby the c.running channel could be closed twice. Looking at the code I do not see a need for this c.running channel and therefore I think we can remove this. (I think the c.running might have been some attempt to prevent a hang but the use of os.Pipes should prevent that.) Signed-off-by: Andrew Thornton <art27@cantab.net>	2022-04-28 17:00:01 +02:00
Gusted	1465e0cbb2	Fix 64-bit atomic operations on 32-bit machines (#19531 ) (#19532 ) - Backport #19531 - Doing 64-bit atomic operations on 32-bit machines is a bit tricky by golang, as they can only be done under certain set of conditions(https://pkg.go.dev/sync/atomic#pkg-note-BUG). - This PR fixes such case whereby the conditions weren't met, it moves the int64 to the first field of the struct, which will 64-bit operations happening on this property on 32-bit machines. - Resolves #19518	2022-04-27 10:32:28 -05:00
Lunny Xiao	928b603d19	Fix migrate release from github (#19510 ) (#19523 ) * Fix migrate release from github * Fix bug	2022-04-27 14:46:00 +02:00
Lunny Xiao	8ff542c1a2	When view _Siderbar or _Footer, just display once (#19501 ) (#19522 ) Co-authored-by: zeripath <art27@cantab.net>	2022-04-27 14:04:53 +02:00
zeripath	39a0db6ecf	Prevent dangling archiver goroutine (#19516 ) (#19526 ) Backport #19516 Within doArchive there is a service goroutine that performs the archiving function. This goroutine reports its error using a `chan error` called `done`. Prior to this PR this channel had 0 capacity meaning that the goroutine would block until the `done` channel was cleared - however there are a couple of ways in which this channel might not be read. The simplest solution is to add a single space of capacity to the goroutine which will mean that the goroutine will always complete and even if the `done` channel is not read it will be simply garbage collected away. (The PR also contains two other places when setting up the indexers which do not leak but where the blocking of the sending goroutine is also unnecessary and so we should just add a small amount of capacity and let the sending goroutine complete as soon as it can.) Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de>	2022-04-27 16:05:52 +08:00
techknowlogick	9cc93c05cd	Unset git author/committer variables when running integration tests (#19512 ) (#19519 ) TestAPIGitTag (and likely others) will fail if the running environment contains GIT_AUTHOR_NAME and other env variables like it. This PR simply unsets these when running the integration tests. Fix #14247 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>	2022-04-26 19:23:54 -04:00
Lunny Xiao	b31418edd9	Fix blame page select range error and some typos (#19503 ) Partially back port from #19500 and fix two typos.	2022-04-26 20:19:52 +01:00
6543	242f7f1a52	Add notags to fetch (#19487 ) (#19490 ) * Add notags to fetch (#19487) * gofumpt	2022-04-25 20:26:17 +02:00
6543	8d7f1e430a	User specific repoID or xorm builder conditions for issue search (#19475 ) (#19476 )	2022-04-25 15:28:47 +02:00
Pilou	a6b32adc45	[doctor] authorized-keys: fix displayed check name (backport #19464 ) (#19484 ) The registered check name is authorized-keys, not authorized_keys.	2022-04-25 13:45:18 +02:00
Gusted	1f0dca4614	Mark TemplateLoading error as "UnprocessableEntity" (#19445 ) (#19446 ) * Mark TemplateLoading error as "UnprocessableEntity" (#19445) - Backport #19445 - Don't return Internal Server error if the user provide incorrect label template, instead return UnprocessableEntity. - Resolves #19399 - dep: upgrade: github.com/gogs/chardet	2022-04-22 21:07:57 +02:00
6543	1d665da32f	Prevent dangling cat-file calls (goroutine alternative) (#19454 ) (#19466 ) If an `os/exec.Command` is passed non `*os.File` as an input/output, go will create `os.Pipe`s and wait for their closure in `cmd.Wait()`. If the code following this is responsible for closing `io.Pipe`s or other handlers then on process death from context cancellation the `Wait` can hang. There are two possible solutions: 1. use `os.Pipe` as the input/output as `cmd.Wait` does not wait for these. 2. create a goroutine waiting on the context cancellation that will close the inputs. This PR provides the second option - which is a simpler change that can be more easily backported. Closes #19448 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>	2022-04-22 16:58:50 +01:00
Gusted	09adc26eb6	Set correct PR status on 3way on conflict checking (#19457 ) (#19458 ) - Backport #19457 - When 3-way merge is enabled for conflict checking, it has a new interesting behavior that it doesn't return any error when it found a conflict, so we change the condition to not check for the error, but instead check if conflictedfiles is populated, this fixes a issue whereby PR status wasn't correctly on conflicted PR's. - Refactor the mergeable property(which was incorrectly set and lead me this bug) to be more maintainable. - Add a dedicated test for conflicting checking, so it should prevent future issues with this. - Ref: Fix the latest error for https://gitea.com/gitea/go-sdk/pulls/579 Co-authored-by: zeripath <art27@cantab.net>	2022-04-22 09:11:42 +08:00
6543	297346a762	RepoAssignment ensure to close before overwrite (#19449 ) (#19460 ) * check if GitRepo already open and close if * Only run RepoAssignment once	2022-04-21 18:55:44 +02:00