Documentation: Clarity for HTTPS setups (#5626 )

[https-setup] - Made it clearer that HTTP redirection is possible [config-cheat-sheet] - Clarified the behavihour of the redirection-related config keys
2026-04-19 14:01:08 +00:00 · 2019-01-03 16:46:07 +01:00
105 changed files with 858 additions and 2493 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -211,7 +211,7 @@ pipeline:
      branch: [ master ]
  static:
-    image: techknowlogick/xgo:latest
+    image: karalabe/xgo-latest:latest
    pull: true
    environment:
      TAGS: bindata sqlite sqlite_unlock_notify
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,62 +4,7 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
-## [1.7.3](https://github.com/go-gitea/gitea/releases/tag/v1.7.3) - 2019-02-27
+## [1.7.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-02
 * BUGFIXES
  * Fix server 500 when trying to migrate to an already existing repository (#6188) (#6197)
  * Load Issue attributes for API /repos/{owner}/{repo}/issues/{index} (#6122) (#6185)
  * Fix bug whereby user could change private repository to public when force private enabled. (#6156) (#6165)
  * Fix bug when update owner team then visit team's repo return 404 (#6119) (#6166)
  * Fix heatmap and repository menu display in Internet Explorer 9+ (#6117) (#6137)
  * Fix prohibit login check on authorization (#6106) (#6115)
  * Fix LDAP protocol error regression by moving to ldap.v3 (#6105) (#6107)
  * Fix deadlock in webhook PullRequest (#6102) (#6104)
  * Fix redirect loop when password change is required and Gitea is installed as a suburl (#5965) (#6101)
  * Fix compare button regression (#5929) (#6098)
  * Recover panic in orgmode.Render if bad orgfile (#4982) (#5903) (#6097)
 ## [1.7.2](https://github.com/go-gitea/gitea/releases/tag/v1.7.2) - 2019-02-14
 * BUGFIXES
  * Remove all CommitStatus when a repo is deleted (#5940) (#5941)
  * Fix notifications on pushing with deploy keys by setting hook environment variables (#5935) (#5944)
  * Silence console logger in gitea serv (#5887) (#5943)
  * Handle milestone webhook events for issues and PR (#5947) (#5955)
  * Show user who created the repository instead of the organization in action feed (#5948) (#5956)
  * Fix ssh deploy and user key constraints (#1357) (#5939) (#5966)
  * Fix bug when deleting a linked account will removed all (#5989) (#5990)
  * Fix empty ssh key importing in ldap (#5984) (#6009)
  * Fix metrics auth token detection (#6006) (#6017)
  * Create repository on organisation by default on its dashboard (#6026) (#6048)
  * Make sure labels are actually returned in API (#6053) (#6059)
  * Switch to more recent build of xgo (#6070) (#6072)
  * In basic auth check for tokens before call UserSignIn (#5725) (#6083)
 ## [1.7.1](https://github.com/go-gitea/gitea/releases/tag/v1.7.1) - 2019-01-31
 * SECURITY
  * Disable redirect for i18n (#5910) (#5916)
  * Only allow local login if password is non-empty (#5906) (#5908)
  * Fix go-get URL generation (#5905) (#5907)
 * BUGFIXES
  * Fix TLS errors when using acme/autocert for local connections (#5820) (#5826)
  * Request for public keys only if LDAP attribute is set (#5816) (#5819)
  * Fix delete correct temp directory (#5840) (#5839)
  * Fix an error while adding a dependency via UI (#5862) (#5876)
  * Fix null pointer in attempt to Sudo if not logged in (#5872) (#5884)
  * When creating new repository fsck option should be enabled (#5817) (#5885)
  * Prevent nil dereference in mailIssueCommentToParticipants (#5891) (#5895) (#5894)
  * Fix bug when read public repo lfs file (#5913) (#5912)
  * Respect value of REQUIRE_SIGNIN_VIEW (#5901) (#5915)
  * Fix compare button on upstream repo leading to 404 (#5877) (#5914)
 * DOCS
  * Added docs for the tree api (#5835)
 * MISC
  * Include Go toolchain to --version (#5832) (#5830)
 ## [1.7.0](https://github.com/go-gitea/gitea/releases/tag/v1.7.0) - 2019-01-22
 * SECURITY
  * Do not display the raw OpenID error in the UI (#5705) (#5712)
  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5679)
  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
 * BREAKING
  * Restrict permission check on repositories and fix some problems (#5314)
  * Show only opened milestones on issues page milestone filter (#5051)
@@ -78,13 +23,6 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Give user a link to create PR after push (#4716)
  * Add rebase with merge commit merge style (#3844) (#4052)
 * BUGFIXES
  * Disallow empty titles (#5785) (#5794)
  * Fix sqlite deadlock when assigning to a PR (#5640) (#5642)
  * Don't close issues via commits on non-default branch. (#5622) (#5643)
  * Fix commit page showing status for current default branch (#5650) (#5653)
  * Only count users own actions for heatmap contributions (#5647) (#5655)
  * Update xorm to fix issue postgresql dumping issues (#5680) (#5692)
  * Use correct value for "MSpan Structures Obtained" (#5706) (#5716)
  * Fix bug on modifying sshd username (#5624)
  * Delete tags in mirror which are removed for original repo. (#5609)
  * Fix wrong text getting saved on editing second comment on an issue. (#5608)
@@ -211,18 +149,6 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Git-Trees API (#5403)
  * Only chown directories during docker setup if necessary. Fix #4425 (#5064)
 ## [1.6.4](https://github.com/go-gitea/gitea/releases/tag/v1.6.4) - 2019-01-15
 * BUGFIX
  * Fix SSH key now can be reused as public key after deleting as deploy key (#5671) (#5685)
  * When redirecting clean the path to avoid redirecting to external site (#5669) (#5703)
  * Fix to use correct value for "MSpan Structures Obtained" (#5706) (#5715)
 ## [1.6.3](https://github.com/go-gitea/gitea/releases/tag/v1.6.3) - 2019-01-04
 * SECURITY
  * Prevent DeleteFilePost doing arbitrary deletion (#5631)
 * BUGFIX
  * Fix wrong text getting saved on editing second comment on an issue (#5608)
 ## [1.6.2](https://github.com/go-gitea/gitea/releases/tag/v1.6.2) - 2018-12-21
 * SECURITY
  * Sanitize uploaded file names (#5571) (#5573)
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -406,11 +406,11 @@
  version = "v0.6.0"
 [[projects]]
-  digest = "1:d366480c27ab51b3f7e995f25503063e7a6ebc7feb269df2499c33471f35cd62"
+  digest = "1:931a62a1aacc37a5e4c309a111642ec4da47b4dc453cd4ba5481b12eedb04a5d"
  name = "github.com/go-xorm/xorm"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"
+  revision = "401f4ee8ff8cbc40a4754cb12192fbe4f02f3979"
 [[projects]]
  branch = "master"
@@ -1005,12 +1005,12 @@
  version = "v1.31.1"
 [[projects]]
-  digest = "1:8a502dedecf5b6d56e36f0d0e6196392baf616634af2c23108b6e8bb89ec57fc"
+  digest = "1:01f4ac37c52bda6f7e1bd73680a99f88733c0408aaa159ecb1ba53a1ade9423c"
-  name = "gopkg.in/ldap.v3"
+  name = "gopkg.in/ldap.v2"
  packages = ["."]
  pruneopts = "NUT"
-  revision = "214f299a0ecb2a6c6f6d2b0f13977032b207dc58"
+  revision = "d0a5ced67b4dc310b9158d63a2c6f9c5ec13f105"
-  version = "v3.0.1"
+  version = "v2.4.1"
 [[projects]]
  digest = "1:cfe1730a152ff033ad7d9c115d22e36b19eec6d5928c06146b9119be45d39dc0"
@@ -1173,7 +1173,6 @@
    "github.com/keybase/go-crypto/openpgp",
    "github.com/keybase/go-crypto/openpgp/armor",
    "github.com/keybase/go-crypto/openpgp/packet",
    "github.com/klauspost/compress/gzip",
    "github.com/lafriks/xormstore",
    "github.com/lib/pq",
    "github.com/lunny/dingtalk_webhook",
@@ -1215,7 +1214,7 @@
    "gopkg.in/editorconfig/editorconfig-core-go.v1",
    "gopkg.in/gomail.v2",
    "gopkg.in/ini.v1",
-    "gopkg.in/ldap.v3",
+    "gopkg.in/ldap.v2",
    "gopkg.in/macaron.v1",
    "gopkg.in/testfixtures.v2",
    "strk.kbt.io/projects/go/libravatar",
--- a/Gopkg.toml
+++ b/Gopkg.toml
@@ -38,7 +38,7 @@ ignored = ["google.golang.org/appengine*"]
 [[override]]
  name = "github.com/go-xorm/xorm"
-  revision = "1cd2662be938bfee0e34af92fe448513e0560fb1"
+  revision = "401f4ee8ff8cbc40a4754cb12192fbe4f02f3979"
 [[override]]
  name = "github.com/go-xorm/builder"
@@ -97,8 +97,8 @@ ignored = ["google.golang.org/appengine*"]
  version = "1.31.1"
 [[constraint]]
-  name = "gopkg.in/ldap.v3"
+  name = "gopkg.in/ldap.v2"
-  version = "3.0.1"
+  version = "2.4.1"
 [[constraint]]
  name = "gopkg.in/macaron.v1"
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -9,11 +9,10 @@ package cmd
 import (
 	"errors"
 	"fmt"
 	"strings"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"github.com/urfave/cli"
 )
@@ -25,7 +24,7 @@ func argsSet(c *cli.Context, args ...string) error {
 			return errors.New(a + " is not set")
 		}
-		if util.IsEmptyString(a) {
+		if len(strings.TrimSpace(c.String(a))) == 0 {
 			return errors.New(a + " is required")
 		}
 	}
--- a/cmd/serv.go
+++ b/cmd/serv.go
@@ -70,7 +70,6 @@ func checkLFSVersion() {
 }
 func setup(logPath string) {
 	log.DelLogger("console")
 	setting.NewContext()
 	checkLFSVersion()
 	log.NewGitLogger(filepath.Join(setting.LogRootPath, logPath))
@@ -234,30 +233,23 @@ func runServ(c *cli.Context) error {
 		// Check deploy key or user key.
 		if key.Type == models.KeyTypeDeploy {
-			// Now we have to get the deploy key for this repo
+			if key.Mode < requestedMode {
-			deployKey, err := private.GetDeployKey(key.ID, repo.ID)
+				fail("Key permission denied", "Cannot push with deployment key: %d", key.ID)
 			}
 			// Check if this deploy key belongs to current repository.
 			has, err := private.HasDeployKey(key.ID, repo.ID)
 			if err != nil {
 				fail("Key access denied", "Failed to access internal api: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
 			}
-
+			if !has {
 			if deployKey == nil {
 				fail("Key access denied", "Deploy key access denied: [key_id: %d, repo_id: %d]", key.ID, repo.ID)
 			}
 			if deployKey.Mode < requestedMode {
 				fail("Key permission denied", "Cannot push with read-only deployment key: %d to repo_id: %d", key.ID, repo.ID)
 			}
 			// Update deploy key activity.
 			if err = private.UpdateDeployKeyUpdated(key.ID, repo.ID); err != nil {
 				fail("Internal error", "UpdateDeployKey: %v", err)
 			}
 			// FIXME: Deploy keys aren't really the owner of the repo pushing changes
 			// however we don't have good way of representing deploy keys in hook.go
 			// so for now use the owner
 			os.Setenv(models.EnvPusherName, username)
 			os.Setenv(models.EnvPusherID, fmt.Sprintf("%d", repo.OwnerID))
 		} else {
 			user, err = private.GetUserByKeyID(key.ID)
 			if err != nil {
--- a/integrations/api_helper_for_declarative_test.go
+++ b/integrations/api_helper_for_declarative_test.go
@@ -1,152 +0,0 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package integrations
 import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"testing"
 	api "code.gitea.io/sdk/gitea"
 	"github.com/stretchr/testify/assert"
 )
 type APITestContext struct {
 	Reponame     string
 	Session      *TestSession
 	Token        string
 	Username     string
 	ExpectedCode int
 }
 func NewAPITestContext(t *testing.T, username, reponame string) APITestContext {
 	session := loginUser(t, username)
 	token := getTokenForLoggedInUser(t, session)
 	return APITestContext{
 		Session:  session,
 		Token:    token,
 		Username: username,
 		Reponame: reponame,
 	}
 }
 func (ctx APITestContext) GitPath() string {
 	return fmt.Sprintf("%s/%s.git", ctx.Username, ctx.Reponame)
 }
 func doAPICreateRepository(ctx APITestContext, empty bool, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
 		createRepoOption := &api.CreateRepoOption{
 			AutoInit:    !empty,
 			Description: "Temporary repo",
 			Name:        ctx.Reponame,
 			Private:     true,
 			Gitignores:  "",
 			License:     "WTFPL",
 			Readme:      "Default",
 		}
 		req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+ctx.Token, createRepoOption)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
 		if len(callback) > 0 {
 			callback[0](t, repository)
 		}
 	}
 }
 func doAPIGetRepository(ctx APITestContext, callback ...func(*testing.T, api.Repository)) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
 		req := NewRequest(t, "GET", urlStr)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		resp := ctx.Session.MakeRequest(t, req, http.StatusOK)
 		var repository api.Repository
 		DecodeJSON(t, resp, &repository)
 		if len(callback) > 0 {
 			callback[0](t, repository)
 		}
 	}
 }
 func doAPIDeleteRepository(ctx APITestContext) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
 		req := NewRequest(t, "DELETE", urlStr)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 func doAPICreateUserKey(ctx APITestContext, keyname, keyFile string, callback ...func(*testing.T, api.PublicKey)) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/user/keys?token=%s", ctx.Token)
 		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
 		assert.NoError(t, err)
 		req := NewRequestWithJSON(t, "POST", urlStr, &api.CreateKeyOption{
 			Title: keyname,
 			Key:   string(dataPubKey),
 		})
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		resp := ctx.Session.MakeRequest(t, req, http.StatusCreated)
 		var publicKey api.PublicKey
 		DecodeJSON(t, resp, &publicKey)
 		if len(callback) > 0 {
 			callback[0](t, publicKey)
 		}
 	}
 }
 func doAPIDeleteUserKey(ctx APITestContext, keyID int64) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/user/keys/%d?token=%s", keyID, ctx.Token)
 		req := NewRequest(t, "DELETE", urlStr)
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		ctx.Session.MakeRequest(t, req, http.StatusNoContent)
 	}
 }
 func doAPICreateDeployKey(ctx APITestContext, keyname, keyFile string, readOnly bool) func(*testing.T) {
 	return func(t *testing.T) {
 		urlStr := fmt.Sprintf("/api/v1/repos/%s/%s/keys?token=%s", ctx.Username, ctx.Reponame, ctx.Token)
 		dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
 		assert.NoError(t, err)
 		req := NewRequestWithJSON(t, "POST", urlStr, api.CreateKeyOption{
 			Title:    keyname,
 			Key:      string(dataPubKey),
 			ReadOnly: readOnly,
 		})
 		if ctx.ExpectedCode != 0 {
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
 		ctx.Session.MakeRequest(t, req, http.StatusCreated)
 	}
 }
--- a/integrations/git_helper_for_declarative_test.go
+++ b/integrations/git_helper_for_declarative_test.go
@@ -1,127 +0,0 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package integrations
 import (
 	"context"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
 	"code.gitea.io/git"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/Unknwon/com"
 	"github.com/stretchr/testify/assert"
 )
 func withKeyFile(t *testing.T, keyname string, callback func(string)) {
 	keyFile := filepath.Join(setting.AppDataPath, keyname)
 	err := exec.Command("ssh-keygen", "-f", keyFile, "-t", "rsa", "-N", "").Run()
 	assert.NoError(t, err)
 	//Setup ssh wrapper
 	os.Setenv("GIT_SSH_COMMAND",
 		"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "+
 			filepath.Join(setting.AppWorkPath, keyFile))
 	os.Setenv("GIT_SSH_VARIANT", "ssh")
 	callback(keyFile)
 	defer os.RemoveAll(keyFile)
 	defer os.RemoveAll(keyFile + ".pub")
 }
 func createSSHUrl(gitPath string, u *url.URL) *url.URL {
 	u2 := *u
 	u2.Scheme = "ssh"
 	u2.User = url.User("git")
 	u2.Host = fmt.Sprintf("%s:%d", setting.SSH.ListenHost, setting.SSH.ListenPort)
 	u2.Path = gitPath
 	return &u2
 }
 func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL)) {
 	prepareTestEnv(t)
 	s := http.Server{
 		Handler: mac,
 	}
 	u, err := url.Parse(setting.AppURL)
 	assert.NoError(t, err)
 	listener, err := net.Listen("tcp", u.Host)
 	assert.NoError(t, err)
 	defer func() {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 		s.Shutdown(ctx)
 		cancel()
 	}()
 	go s.Serve(listener)
 	//Started by config go ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
 	callback(t, u)
 }
 func doGitClone(dstLocalPath string, u *url.URL) func(*testing.T) {
 	return func(t *testing.T) {
 		assert.NoError(t, git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{}))
 		assert.True(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
 	}
 }
 func doGitCloneFail(dstLocalPath string, u *url.URL) func(*testing.T) {
 	return func(t *testing.T) {
 		assert.Error(t, git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{}))
 		assert.False(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
 	}
 }
 func doGitInitTestRepository(dstPath string) func(*testing.T) {
 	return func(t *testing.T) {
 		// Init repository in dstPath
 		assert.NoError(t, git.InitRepository(dstPath, false))
 		assert.NoError(t, ioutil.WriteFile(filepath.Join(dstPath, "README.md"), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s", dstPath)), 0644))
 		assert.NoError(t, git.AddChanges(dstPath, true))
 		signature := git.Signature{
 			Email: "test@example.com",
 			Name:  "test",
 			When:  time.Now(),
 		}
 		assert.NoError(t, git.CommitChanges(dstPath, git.CommitChangesOptions{
 			Committer: &signature,
 			Author:    &signature,
 			Message:   "Initial Commit",
 		}))
 	}
 }
 func doGitAddRemote(dstPath, remoteName string, u *url.URL) func(*testing.T) {
 	return func(t *testing.T) {
 		_, err := git.NewCommand("remote", "add", remoteName, u.String()).RunInDir(dstPath)
 		assert.NoError(t, err)
 	}
 }
 func doGitPushTestRepository(dstPath, remoteName, branch string) func(*testing.T) {
 	return func(t *testing.T) {
 		_, err := git.NewCommand("push", "-u", remoteName, branch).RunInDir(dstPath)
 		assert.NoError(t, err)
 	}
 }
 func doGitPushTestRepositoryFail(dstPath, remoteName, branch string) func(*testing.T) {
 	return func(t *testing.T) {
 		_, err := git.NewCommand("push", "-u", remoteName, branch).RunInDir(dstPath)
 		assert.Error(t, err)
 	}
 }
--- a/integrations/git_test.go
+++ b/integrations/git_test.go
@@ -5,17 +5,25 @@
 package integrations
 import (
 	"context"
 	"crypto/rand"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
 	"code.gitea.io/git"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/sdk/gitea"
 	"github.com/Unknwon/com"
 	"github.com/stretchr/testify/assert"
 )
@@ -24,86 +32,160 @@ const (
 	bigSize    = 128 * 1024 * 1024 //128Mo
 )
-func TestGit(t *testing.T) {
+func onGiteaRun(t *testing.T, callback func(*testing.T, *url.URL)) {
-	onGiteaRun(t, testGit)
+	prepareTestEnv(t)
 	s := http.Server{
 		Handler: mac,
 	}
 	u, err := url.Parse(setting.AppURL)
 	assert.NoError(t, err)
 	listener, err := net.Listen("tcp", u.Host)
 	assert.NoError(t, err)
 	defer func() {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 		s.Shutdown(ctx)
 		cancel()
 	}()
 	go s.Serve(listener)
 	//Started by config go ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
 	callback(t, u)
 }
-func testGit(t *testing.T, u *url.URL) {
+func TestGit(t *testing.T) {
-	username := "user2"
+	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-	baseAPITestContext := NewAPITestContext(t, username, "repo1")
+		u.Path = "user2/repo1.git"
-	u.Path = baseAPITestContext.GitPath()
+		t.Run("HTTP", func(t *testing.T) {
-
+			dstPath, err := ioutil.TempDir("", "repo-tmp-17")
-	t.Run("HTTP", func(t *testing.T) {
+			assert.NoError(t, err)
-		httpContext := baseAPITestContext
+			defer os.RemoveAll(dstPath)
-		httpContext.Reponame = "repo-tmp-17"
+			t.Run("Standard", func(t *testing.T) {
-
+				t.Run("CloneNoLogin", func(t *testing.T) {
-		dstPath, err := ioutil.TempDir("", httpContext.Reponame)
+					dstLocalPath, err := ioutil.TempDir("", "repo1")
-		assert.NoError(t, err)
+					assert.NoError(t, err)
-		defer os.RemoveAll(dstPath)
+					defer os.RemoveAll(dstLocalPath)
-		t.Run("Standard", func(t *testing.T) {
+					err = git.Clone(u.String(), dstLocalPath, git.CloneRepoOptions{})
-			ensureAnonymousClone(t, u)
+					assert.NoError(t, err)
-
+					assert.True(t, com.IsExist(filepath.Join(dstLocalPath, "README.md")))
 			t.Run("CreateRepo", doAPICreateRepository(httpContext, false))
 			u.Path = httpContext.GitPath()
 			u.User = url.UserPassword(username, userPassword)
 			t.Run("Clone", doGitClone(dstPath, u))
 			t.Run("PushCommit", func(t *testing.T) {
 				t.Run("Little", func(t *testing.T) {
 					commitAndPush(t, littleSize, dstPath)
 				})
-				t.Run("Big", func(t *testing.T) {
+
-					commitAndPush(t, bigSize, dstPath)
+				t.Run("CreateRepo", func(t *testing.T) {
 					session := loginUser(t, "user2")
 					token := getTokenForLoggedInUser(t, session)
 					req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+token, &api.CreateRepoOption{
 						AutoInit:    true,
 						Description: "Temporary repo",
 						Name:        "repo-tmp-17",
 						Private:     false,
 						Gitignores:  "",
 						License:     "WTFPL",
 						Readme:      "Default",
 					})
 					session.MakeRequest(t, req, http.StatusCreated)
 				})
 				u.Path = "user2/repo-tmp-17.git"
 				u.User = url.UserPassword("user2", userPassword)
 				t.Run("Clone", func(t *testing.T) {
 					err = git.Clone(u.String(), dstPath, git.CloneRepoOptions{})
 					assert.NoError(t, err)
 					assert.True(t, com.IsExist(filepath.Join(dstPath, "README.md")))
 				})
 				t.Run("PushCommit", func(t *testing.T) {
 					t.Run("Little", func(t *testing.T) {
 						commitAndPush(t, littleSize, dstPath)
 					})
 					t.Run("Big", func(t *testing.T) {
 						commitAndPush(t, bigSize, dstPath)
 					})
 				})
 			})
 			t.Run("LFS", func(t *testing.T) {
 				t.Run("PushCommit", func(t *testing.T) {
 					//Setup git LFS
 					_, err = git.NewCommand("lfs").AddArguments("install").RunInDir(dstPath)
 					assert.NoError(t, err)
 					_, err = git.NewCommand("lfs").AddArguments("track", "data-file-*").RunInDir(dstPath)
 					assert.NoError(t, err)
 					err = git.AddChanges(dstPath, false, ".gitattributes")
 					assert.NoError(t, err)
 					t.Run("Little", func(t *testing.T) {
 						commitAndPush(t, littleSize, dstPath)
 					})
 					t.Run("Big", func(t *testing.T) {
 						commitAndPush(t, bigSize, dstPath)
 					})
 				})
 				t.Run("Locks", func(t *testing.T) {
 					lockTest(t, u.String(), dstPath)
 				})
 			})
 		})
-		t.Run("LFS", func(t *testing.T) {
+		t.Run("SSH", func(t *testing.T) {
 			t.Run("PushCommit", func(t *testing.T) {
 				//Setup git LFS
 				_, err = git.NewCommand("lfs").AddArguments("install").RunInDir(dstPath)
 				assert.NoError(t, err)
 				_, err = git.NewCommand("lfs").AddArguments("track", "data-file-*").RunInDir(dstPath)
 				assert.NoError(t, err)
 				err = git.AddChanges(dstPath, false, ".gitattributes")
 				assert.NoError(t, err)
 				t.Run("Little", func(t *testing.T) {
 					commitAndPush(t, littleSize, dstPath)
 				})
 				t.Run("Big", func(t *testing.T) {
 					commitAndPush(t, bigSize, dstPath)
 				})
 			})
 			t.Run("Locks", func(t *testing.T) {
 				lockTest(t, u.String(), dstPath)
 			})
 		})
 	})
 	t.Run("SSH", func(t *testing.T) {
 		sshContext := baseAPITestContext
 		sshContext.Reponame = "repo-tmp-18"
 		keyname := "my-testing-key"
 		//Setup key the user ssh key
 		withKeyFile(t, keyname, func(keyFile string) {
 			t.Run("CreateUserKey", doAPICreateUserKey(sshContext, "test-key", keyFile))
 			//Setup remote link
-			sshURL := createSSHUrl(sshContext.GitPath(), u)
+			u.Scheme = "ssh"
 			u.User = url.User("git")
 			u.Host = fmt.Sprintf("%s:%d", setting.SSH.ListenHost, setting.SSH.ListenPort)
 			u.Path = "user2/repo-tmp-18.git"
 			//Setup key
 			keyFile := filepath.Join(setting.AppDataPath, "my-testing-key")
 			err := exec.Command("ssh-keygen", "-f", keyFile, "-t", "rsa", "-N", "").Run()
 			assert.NoError(t, err)
 			defer os.RemoveAll(keyFile)
 			defer os.RemoveAll(keyFile + ".pub")
 			session := loginUser(t, "user1")
 			keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
 			token := getTokenForLoggedInUser(t, session)
 			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
 			dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
 			assert.NoError(t, err)
 			req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 				"key":   string(dataPubKey),
 				"title": "test-key",
 			})
 			session.MakeRequest(t, req, http.StatusCreated)
 			//Setup ssh wrapper
 			os.Setenv("GIT_SSH_COMMAND",
 				"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i "+
 					filepath.Join(setting.AppWorkPath, keyFile))
 			os.Setenv("GIT_SSH_VARIANT", "ssh")
 			//Setup clone folder
-			dstPath, err := ioutil.TempDir("", sshContext.Reponame)
+			dstPath, err := ioutil.TempDir("", "repo-tmp-18")
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 			t.Run("Standard", func(t *testing.T) {
-				t.Run("CreateRepo", doAPICreateRepository(sshContext, false))
+				t.Run("CreateRepo", func(t *testing.T) {
-
+					session := loginUser(t, "user2")
 					token := getTokenForLoggedInUser(t, session)
 					req := NewRequestWithJSON(t, "POST", "/api/v1/user/repos?token="+token, &api.CreateRepoOption{
 						AutoInit:    true,
 						Description: "Temporary repo",
 						Name:        "repo-tmp-18",
 						Private:     false,
 						Gitignores:  "",
 						License:     "WTFPL",
 						Readme:      "Default",
 					})
 					session.MakeRequest(t, req, http.StatusCreated)
 				})
 				//TODO get url from api
-				t.Run("Clone", doGitClone(dstPath, sshURL))
+				t.Run("Clone", func(t *testing.T) {
-
+					_, err = git.NewCommand("clone").AddArguments(u.String(), dstPath).Run()
 					assert.NoError(t, err)
 					assert.True(t, com.IsExist(filepath.Join(dstPath, "README.md")))
 				})
 				//time.Sleep(5 * time.Minute)
 				t.Run("PushCommit", func(t *testing.T) {
 					t.Run("Little", func(t *testing.T) {
@@ -135,20 +217,10 @@ func testGit(t *testing.T, u *url.URL) {
 					lockTest(t, u.String(), dstPath)
 				})
 			})
 		})
 	})
 }
 func ensureAnonymousClone(t *testing.T, u *url.URL) {
 	dstLocalPath, err := ioutil.TempDir("", "repo1")
 	assert.NoError(t, err)
 	defer os.RemoveAll(dstLocalPath)
 	t.Run("CloneAnonymous", doGitClone(dstLocalPath, u))
 }
 func lockTest(t *testing.T, remote, repoPath string) {
 	_, err := git.NewCommand("remote").AddArguments("set-url", "origin", remote).RunInDir(repoPath) //TODO add test ssh git-lfs-creds
 	assert.NoError(t, err)
--- a/integrations/release_test.go
+++ b/integrations/release_test.go
@@ -112,7 +112,7 @@ func TestCreateReleasePaging(t *testing.T) {
 	checkLatestReleaseAndCount(t, session, "/user2/repo1", "v0.0.12", i18n.Tr("en", "repo.release.draft"), 10)
-	// Check that user4 does not see draft and still see 10 latest releases
+	// Check that user3 does not see draft and still see 10 latest releases
-	session2 := loginUser(t, "user4")
+	session2 := loginUser(t, "user3")
 	checkLatestReleaseAndCount(t, session2, "/user2/repo1", "v0.0.11", i18n.Tr("en", "repo.release.stable"), 10)
 }
--- a/integrations/ssh_key_test.go
+++ b/integrations/ssh_key_test.go
@@ -1,217 +0,0 @@
 // Copyright 2019 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package integrations
 import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 	"code.gitea.io/git"
 	api "code.gitea.io/sdk/gitea"
 	"github.com/stretchr/testify/assert"
 )
 func doCheckRepositoryEmptyStatus(ctx APITestContext, isEmpty bool) func(*testing.T) {
 	return doAPIGetRepository(ctx, func(t *testing.T, repository api.Repository) {
 		assert.Equal(t, isEmpty, repository.Empty)
 	})
 }
 func doAddChangesToCheckout(dstPath, filename string) func(*testing.T) {
 	return func(t *testing.T) {
 		assert.NoError(t, ioutil.WriteFile(filepath.Join(dstPath, filename), []byte(fmt.Sprintf("# Testing Repository\n\nOriginally created in: %s at time: %v", dstPath, time.Now())), 0644))
 		assert.NoError(t, git.AddChanges(dstPath, true))
 		signature := git.Signature{
 			Email: "test@example.com",
 			Name:  "test",
 			When:  time.Now(),
 		}
 		assert.NoError(t, git.CommitChanges(dstPath, git.CommitChangesOptions{
 			Committer: &signature,
 			Author:    &signature,
 			Message:   "Initial Commit",
 		}))
 	}
 }
 func TestPushDeployKeyOnEmptyRepo(t *testing.T) {
 	onGiteaRun(t, testPushDeployKeyOnEmptyRepo)
 }
 func testPushDeployKeyOnEmptyRepo(t *testing.T, u *url.URL) {
 	// OK login
 	ctx := NewAPITestContext(t, "user2", "deploy-key-empty-repo-1")
 	keyname := fmt.Sprintf("%s-push", ctx.Reponame)
 	u.Path = ctx.GitPath()
 	t.Run("CreateEmptyRepository", doAPICreateRepository(ctx, true))
 	t.Run("CheckIsEmpty", doCheckRepositoryEmptyStatus(ctx, true))
 	withKeyFile(t, keyname, func(keyFile string) {
 		t.Run("CreatePushDeployKey", doAPICreateDeployKey(ctx, keyname, keyFile, false))
 		// Setup the testing repository
 		dstPath, err := ioutil.TempDir("", "repo-tmp-deploy-key-empty-repo-1")
 		assert.NoError(t, err)
 		defer os.RemoveAll(dstPath)
 		t.Run("InitTestRepository", doGitInitTestRepository(dstPath))
 		//Setup remote link
 		sshURL := createSSHUrl(ctx.GitPath(), u)
 		t.Run("AddRemote", doGitAddRemote(dstPath, "origin", sshURL))
 		t.Run("SSHPushTestRepository", doGitPushTestRepository(dstPath, "origin", "master"))
 		t.Run("CheckIsNotEmpty", doCheckRepositoryEmptyStatus(ctx, false))
 		t.Run("DeleteRepository", doAPIDeleteRepository(ctx))
 	})
 }
 func TestKeyOnlyOneType(t *testing.T) {
 	onGiteaRun(t, testKeyOnlyOneType)
 }
 func testKeyOnlyOneType(t *testing.T, u *url.URL) {
 	// Once a key is a user key we cannot use it as a deploy key
 	// If we delete it from the user we should be able to use it as a deploy key
 	reponame := "ssh-key-test-repo"
 	username := "user2"
 	u.Path = fmt.Sprintf("%s/%s.git", username, reponame)
 	keyname := fmt.Sprintf("%s-push", reponame)
 	// OK login
 	ctx := NewAPITestContext(t, username, reponame)
 	otherCtx := ctx
 	otherCtx.Reponame = "ssh-key-test-repo-2"
 	failCtx := ctx
 	failCtx.ExpectedCode = http.StatusUnprocessableEntity
 	t.Run("CreateRepository", doAPICreateRepository(ctx, false))
 	t.Run("CreateOtherRepository", doAPICreateRepository(otherCtx, false))
 	withKeyFile(t, keyname, func(keyFile string) {
 		var userKeyPublicKeyID int64
 		t.Run("KeyCanOnlyBeUser", func(t *testing.T) {
 			dstPath, err := ioutil.TempDir("", ctx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 			sshURL := createSSHUrl(ctx.GitPath(), u)
 			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
 			t.Run("CreateUserKey", doAPICreateUserKey(ctx, keyname, keyFile, func(t *testing.T, publicKey api.PublicKey) {
 				userKeyPublicKeyID = publicKey.ID
 			}))
 			t.Run("FailToAddReadOnlyDeployKey", doAPICreateDeployKey(failCtx, keyname, keyFile, true))
 			t.Run("FailToAddDeployKey", doAPICreateDeployKey(failCtx, keyname, keyFile, false))
 			t.Run("Clone", doGitClone(dstPath, sshURL))
 			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES1.md"))
 			t.Run("Push", doGitPushTestRepository(dstPath, "origin", "master"))
 			t.Run("DeleteUserKey", doAPIDeleteUserKey(ctx, userKeyPublicKeyID))
 		})
 		t.Run("KeyCanBeAnyDeployButNotUserAswell", func(t *testing.T) {
 			dstPath, err := ioutil.TempDir("", ctx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 			sshURL := createSSHUrl(ctx.GitPath(), u)
 			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
 			// Should now be able to add...
 			t.Run("AddReadOnlyDeployKey", doAPICreateDeployKey(ctx, keyname, keyFile, true))
 			t.Run("Clone", doGitClone(dstPath, sshURL))
 			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES2.md"))
 			t.Run("FailToPush", doGitPushTestRepositoryFail(dstPath, "origin", "master"))
 			otherSSHURL := createSSHUrl(otherCtx.GitPath(), u)
 			dstOtherPath, err := ioutil.TempDir("", otherCtx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstOtherPath)
 			t.Run("AddWriterDeployKeyToOther", doAPICreateDeployKey(otherCtx, keyname, keyFile, false))
 			t.Run("CloneOther", doGitClone(dstOtherPath, otherSSHURL))
 			t.Run("AddChangesToOther", doAddChangesToCheckout(dstOtherPath, "CHANGES3.md"))
 			t.Run("PushToOther", doGitPushTestRepository(dstOtherPath, "origin", "master"))
 			t.Run("FailToCreateUserKey", doAPICreateUserKey(failCtx, keyname, keyFile))
 		})
 		t.Run("DeleteRepositoryShouldReleaseKey", func(t *testing.T) {
 			otherSSHURL := createSSHUrl(otherCtx.GitPath(), u)
 			dstOtherPath, err := ioutil.TempDir("", otherCtx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstOtherPath)
 			t.Run("DeleteRepository", doAPIDeleteRepository(ctx))
 			t.Run("FailToCreateUserKeyAsStillDeploy", doAPICreateUserKey(failCtx, keyname, keyFile))
 			t.Run("MakeSureCloneOtherStillWorks", doGitClone(dstOtherPath, otherSSHURL))
 			t.Run("AddChangesToOther", doAddChangesToCheckout(dstOtherPath, "CHANGES3.md"))
 			t.Run("PushToOther", doGitPushTestRepository(dstOtherPath, "origin", "master"))
 			t.Run("DeleteOtherRepository", doAPIDeleteRepository(otherCtx))
 			t.Run("RecreateRepository", doAPICreateRepository(ctx, false))
 			t.Run("CreateUserKey", doAPICreateUserKey(ctx, keyname, keyFile, func(t *testing.T, publicKey api.PublicKey) {
 				userKeyPublicKeyID = publicKey.ID
 			}))
 			dstPath, err := ioutil.TempDir("", ctx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 			sshURL := createSSHUrl(ctx.GitPath(), u)
 			t.Run("Clone", doGitClone(dstPath, sshURL))
 			t.Run("AddChanges", doAddChangesToCheckout(dstPath, "CHANGES1.md"))
 			t.Run("Push", doGitPushTestRepository(dstPath, "origin", "master"))
 		})
 		t.Run("DeleteUserKeyShouldRemoveAbilityToClone", func(t *testing.T) {
 			dstPath, err := ioutil.TempDir("", ctx.Reponame)
 			assert.NoError(t, err)
 			defer os.RemoveAll(dstPath)
 			sshURL := createSSHUrl(ctx.GitPath(), u)
 			t.Run("DeleteUserKey", doAPIDeleteUserKey(ctx, userKeyPublicKeyID))
 			t.Run("FailToClone", doGitCloneFail(dstPath, sshURL))
 		})
 	})
 }
--- a/main.go
+++ b/main.go
@@ -8,7 +8,6 @@ package main // import "code.gitea.io/gitea"
 import (
 	"os"
 	"runtime"
 	"strings"
 	"code.gitea.io/gitea/cmd"
@@ -62,8 +61,8 @@ arguments - which can alternatively be run by running the subcommand web.`
 func formatBuiltWith(Tags string) string {
 	if len(Tags) == 0 {
-		return " built with " + runtime.Version()
+		return ""
 	}
-	return " built with " + runtime.Version() + " : " + strings.Replace(Tags, " ", ", ", -1)
+	return " built with: " + strings.Replace(Tags, " ", ", ", -1)
 }
--- a/models/action.go
+++ b/models/action.go
@@ -476,34 +476,8 @@ func getIssueFromRef(repo *Repository, ref string) (*Issue, error) {
 	return issue, nil
 }
 func changeIssueStatus(repo *Repository, doer *User, ref string, refMarked map[int64]bool, status bool) error {
 	issue, err := getIssueFromRef(repo, ref)
 	if err != nil {
 		return err
 	}
 	if issue == nil || refMarked[issue.ID] {
 		return nil
 	}
 	refMarked[issue.ID] = true
 	if issue.RepoID != repo.ID || issue.IsClosed == status {
 		return nil
 	}
 	issue.Repo = repo
 	if err = issue.ChangeStatus(doer, status); err != nil {
 		// Don't return an error when dependencies are open as this would let the push fail
 		if IsErrDependenciesLeft(err) {
 			return nil
 		}
 		return err
 	}
 	return nil
 }
 // UpdateIssuesCommit checks if issues are manipulated by commit message.
-func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, branchName string) error {
+func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit) error {
 	// Commits are appended in the reverse order.
 	for i := len(commits) - 1; i >= 0; i-- {
 		c := commits[i]
@@ -526,21 +500,51 @@ func UpdateIssuesCommit(doer *User, repo *Repository, commits []*PushCommit, bra
 			}
 		}
 		// Change issue status only if the commit has been pushed to the default branch.
 		if repo.DefaultBranch != branchName {
 			continue
 		}
 		refMarked = make(map[int64]bool)
 		// FIXME: can merge this one and next one to a common function.
 		for _, ref := range issueCloseKeywordsPat.FindAllString(c.Message, -1) {
-			if err := changeIssueStatus(repo, doer, ref, refMarked, true); err != nil {
+			issue, err := getIssueFromRef(repo, ref)
 			if err != nil {
 				return err
 			}
 			if issue == nil || refMarked[issue.ID] {
 				continue
 			}
 			refMarked[issue.ID] = true
 			if issue.RepoID != repo.ID || issue.IsClosed {
 				continue
 			}
 			issue.Repo = repo
 			if err = issue.ChangeStatus(doer, true); err != nil {
 				// Don't return an error when dependencies are open as this would let the push fail
 				if IsErrDependenciesLeft(err) {
 					return nil
 				}
 				return err
 			}
 		}
 		// It is conflict to have close and reopen at same time, so refsMarked doesn't need to reinit here.
 		for _, ref := range issueReopenKeywordsPat.FindAllString(c.Message, -1) {
-			if err := changeIssueStatus(repo, doer, ref, refMarked, false); err != nil {
+			issue, err := getIssueFromRef(repo, ref)
 			if err != nil {
 				return err
 			}
 			if issue == nil || refMarked[issue.ID] {
 				continue
 			}
 			refMarked[issue.ID] = true
 			if issue.RepoID != repo.ID || !issue.IsClosed {
 				continue
 			}
 			issue.Repo = repo
 			if err = issue.ChangeStatus(doer, false); err != nil {
 				return err
 			}
 		}
@@ -605,7 +609,7 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 			opts.Commits.CompareURL = repo.ComposeCompareURL(opts.OldCommitID, opts.NewCommitID)
 		}
-		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits, refName); err != nil {
+		if err = UpdateIssuesCommit(pusher, repo, opts.Commits.Commits); err != nil {
 			log.Error(4, "updateIssuesCommit: %v", err)
 		}
 	}
--- a/models/action_test.go
+++ b/models/action_test.go
@@ -227,37 +227,10 @@ func TestUpdateIssuesCommit(t *testing.T) {
 	AssertNotExistsBean(t, commentBean)
 	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 2}, "is_closed=1")
-	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, repo.DefaultBranch))
+	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits))
 	AssertExistsAndLoadBean(t, commentBean)
 	AssertExistsAndLoadBean(t, issueBean, "is_closed=1")
 	CheckConsistencyFor(t, &Action{})
 	// Test that push to a non-default branch closes no issue.
 	pushCommits = []*PushCommit{
 		{
 			Sha1:           "abcdef1",
 			CommitterEmail: "user2@example.com",
 			CommitterName:  "User Two",
 			AuthorEmail:    "user4@example.com",
 			AuthorName:     "User Four",
 			Message:        "close #1",
 		},
 	}
 	repo = AssertExistsAndLoadBean(t, &Repository{ID: 3}).(*Repository)
 	commentBean = &Comment{
 		Type:      CommentTypeCommitRef,
 		CommitSHA: "abcdef1",
 		PosterID:  user.ID,
 		IssueID:   6,
 	}
 	issueBean = &Issue{RepoID: repo.ID, Index: 1}
 	AssertNotExistsBean(t, commentBean)
 	AssertNotExistsBean(t, &Issue{RepoID: repo.ID, Index: 1}, "is_closed=1")
 	assert.NoError(t, UpdateIssuesCommit(user, repo, pushCommits, "non-existing-branch"))
 	AssertExistsAndLoadBean(t, commentBean)
 	AssertNotExistsBean(t, issueBean, "is_closed=1")
 	CheckConsistencyFor(t, &Action{})
 }
 func testCorrectRepoAction(t *testing.T, opts CommitRepoActionOptions, actionBean *Action) {
--- a/models/error.go
+++ b/models/error.go
@@ -90,38 +90,6 @@ func (err ErrUserNotExist) Error() string {
 	return fmt.Sprintf("user does not exist [uid: %d, name: %s, keyid: %d]", err.UID, err.Name, err.KeyID)
 }
 // ErrUserProhibitLogin represents a "ErrUserProhibitLogin" kind of error.
 type ErrUserProhibitLogin struct {
 	UID  int64
 	Name string
 }
 // IsErrUserProhibitLogin checks if an error is a ErrUserProhibitLogin
 func IsErrUserProhibitLogin(err error) bool {
 	_, ok := err.(ErrUserProhibitLogin)
 	return ok
 }
 func (err ErrUserProhibitLogin) Error() string {
 	return fmt.Sprintf("user is not allowed login [uid: %d, name: %s]", err.UID, err.Name)
 }
 // ErrUserInactive represents a "ErrUserInactive" kind of error.
 type ErrUserInactive struct {
 	UID  int64
 	Name string
 }
 // IsErrUserInactive checks if an error is a ErrUserInactive
 func IsErrUserInactive(err error) bool {
 	_, ok := err.(ErrUserInactive)
 	return ok
 }
 func (err ErrUserInactive) Error() string {
 	return fmt.Sprintf("user is inactive [uid: %d, name: %s]", err.UID, err.Name)
 }
 // ErrEmailAlreadyUsed represents a "EmailAlreadyUsed" kind of error.
 type ErrEmailAlreadyUsed struct {
 	Email string
--- a/models/issue.go
+++ b/models/issue.go
@@ -1402,7 +1402,7 @@ func UpdateIssueMentions(e Engine, issueID int64, mentions []string) error {
 		}
 		memberIDs := make([]int64, 0, user.NumMembers)
-		orgUsers, err := getOrgUsersByOrgID(e, user.ID)
+		orgUsers, err := GetOrgUsersByOrgID(user.ID)
 		if err != nil {
 			return fmt.Errorf("GetOrgUsersByOrgID [%d]: %v", user.ID, err)
 		}
--- a/models/issue_assignees.go
+++ b/models/issue_assignees.go
@@ -44,11 +44,7 @@ func (issue *Issue) loadAssignees(e Engine) (err error) {
 // GetAssigneesByIssue returns everyone assigned to that issue
 func GetAssigneesByIssue(issue *Issue) (assignees []*User, err error) {
-	return getAssigneesByIssue(x, issue)
+	err = issue.loadAssignees(x)
 }
 func getAssigneesByIssue(e Engine, issue *Issue) (assignees []*User, err error) {
 	err = issue.loadAssignees(e)
 	if err != nil {
 		return assignees, err
 	}
@@ -177,7 +173,7 @@ func (issue *Issue) changeAssignee(sess *xorm.Session, doer *User, assigneeID in
 		issue.PullRequest.Issue = issue
 		apiPullRequest := &api.PullRequestPayload{
 			Index:       issue.Index,
-			PullRequest: issue.PullRequest.apiFormat(sess),
+			PullRequest: issue.PullRequest.APIFormat(),
 			Repository:  issue.Repo.innerAPIFormat(sess, mode, false),
 			Sender:      doer.APIFormat(),
 		}
--- a/models/issue_comment.go
+++ b/models/issue_comment.go
@@ -748,9 +748,6 @@ func createIssueDependencyComment(e *xorm.Session, doer *User, issue *Issue, dep
 	if !add {
 		cType = CommentTypeRemoveDependency
 	}
 	if err = issue.loadRepo(e); err != nil {
 		return
 	}
 	// Make two comments, one in each issue
 	_, err = createComment(e, &CreateCommentOptions{
--- a/models/issue_dependency_test.go
+++ b/models/issue_dependency_test.go
@@ -19,9 +19,11 @@ func TestCreateIssueDependency(t *testing.T) {
 	issue1, err := GetIssueByID(1)
 	assert.NoError(t, err)
 	issue1.LoadAttributes()
 	issue2, err := GetIssueByID(2)
 	assert.NoError(t, err)
 	issue2.LoadAttributes()
 	// Create a dependency and check if it was successful
 	err = CreateIssueDependency(user1, issue1, issue2)
--- a/models/issue_mail.go
+++ b/models/issue_mail.go
@@ -39,16 +39,16 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content
 	// In case the issue poster is not watching the repository and is active,
 	// even if we have duplicated in watchers, can be safely filtered out.
-	err = issue.loadPoster(e)
+	poster, err := getUserByID(e, issue.PosterID)
 	if err != nil {
 		return fmt.Errorf("GetUserByID [%d]: %v", issue.PosterID, err)
 	}
-	if issue.PosterID != doer.ID && issue.Poster.IsActive && !issue.Poster.ProhibitLogin {
+	if issue.PosterID != doer.ID && poster.IsActive && !poster.ProhibitLogin {
 		participants = append(participants, issue.Poster)
 	}
 	// Assignees must receive any communications
-	assignees, err := getAssigneesByIssue(e, issue)
+	assignees, err := GetAssigneesByIssue(issue)
 	if err != nil {
 		return err
 	}
@@ -88,10 +88,6 @@ func mailIssueCommentToParticipants(e Engine, issue *Issue, doer *User, content
 		names = append(names, participants[i].Name)
 	}
 	if err := issue.loadRepo(e); err != nil {
 		return err
 	}
 	for _, to := range tos {
 		SendIssueCommentMail(issue, doer, content, comment, []string{to})
 	}
--- a/models/issue_user.go
+++ b/models/issue_user.go
@@ -54,7 +54,7 @@ func newIssueUsers(e Engine, repo *Repository, issue *Issue) error {
 func updateIssueAssignee(e *xorm.Session, issue *Issue, assigneeID int64) (removed bool, err error) {
 	// Check if the user exists
-	assignee, err := getUserByID(e, assigneeID)
+	assignee, err := GetUserByID(assigneeID)
 	if err != nil {
 		return false, err
 	}
--- a/models/login_source.go
+++ b/models/login_source.go
@@ -600,29 +600,16 @@ func ExternalUserLogin(user *User, login, password string, source *LoginSource,
 		return nil, ErrLoginSourceNotActived
 	}
 	var err error
 	switch source.Type {
 	case LoginLDAP, LoginDLDAP:
-		user, err = LoginViaLDAP(user, login, password, source, autoRegister)
+		return LoginViaLDAP(user, login, password, source, autoRegister)
 	case LoginSMTP:
-		user, err = LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
+		return LoginViaSMTP(user, login, password, source.ID, source.Cfg.(*SMTPConfig), autoRegister)
 	case LoginPAM:
-		user, err = LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
+		return LoginViaPAM(user, login, password, source.ID, source.Cfg.(*PAMConfig), autoRegister)
 	default:
 		return nil, ErrUnsupportedLoginType
 	}
-	if err != nil {
+	return nil, ErrUnsupportedLoginType
 		return nil, err
 	}
 	if !user.IsActive {
 		return nil, ErrUserInactive{user.ID, user.Name}
 	} else if user.ProhibitLogin {
 		return nil, ErrUserProhibitLogin{user.ID, user.Name}
 	}
 	return user, nil
 }
 // UserSignIn validates user name and password.
@@ -657,13 +644,7 @@ func UserSignIn(username, password string) (*User, error) {
 	if hasUser {
 		switch user.LoginType {
 		case LoginNoType, LoginPlain, LoginOAuth2:
-			if user.IsPasswordSet() && user.ValidatePassword(password) {
+			if user.ValidatePassword(password) {
 				if !user.IsActive {
 					return nil, ErrUserInactive{user.ID, user.Name}
 				} else if user.ProhibitLogin {
 					return nil, ErrUserProhibitLogin{user.ID, user.Name}
 				}
 				return user, nil
 			}
--- a/models/org.go
+++ b/models/org.go
@@ -393,12 +393,8 @@ func GetOrgUsersByUserID(uid int64, all bool) ([]*OrgUser, error) {
 // GetOrgUsersByOrgID returns all organization-user relations by organization ID.
 func GetOrgUsersByOrgID(orgID int64) ([]*OrgUser, error) {
 	return getOrgUsersByOrgID(x, orgID)
 }
 func getOrgUsersByOrgID(e Engine, orgID int64) ([]*OrgUser, error) {
 	ous := make([]*OrgUser, 0, 10)
-	err := e.
+	err := x.
 		Where("org_id=?", orgID).
 		Find(&ous)
 	return ous, err
--- a/models/pull.go
+++ b/models/pull.go
@@ -366,7 +366,7 @@ func (pr *PullRequest) Merge(doer *User, baseGitRepo *git.Repository, mergeStyle
 		return fmt.Errorf("Failed to create dir %s: %v", tmpBasePath, err)
 	}
-	defer os.RemoveAll(tmpBasePath)
+	defer os.RemoveAll(path.Dir(tmpBasePath))
 	var stderr string
 	if _, stderr, err = process.GetManager().ExecTimeout(5*time.Minute,
--- a/models/repo.go
+++ b/models/repo.go
@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"html/template"
 	"io/ioutil"
 	"net/url"
 	"os"
 	"os/exec"
 	"path"
@@ -35,8 +34,8 @@ import (
 	"github.com/Unknwon/com"
 	"github.com/go-xorm/builder"
 	"github.com/go-xorm/xorm"
-	version "github.com/mcuadros/go-version"
+	"github.com/mcuadros/go-version"
-	ini "gopkg.in/ini.v1"
+	"gopkg.in/ini.v1"
 )
 var repoWorkingPool = sync.NewExclusivePool()
@@ -825,7 +824,7 @@ type CloneLink struct {
 // ComposeHTTPSCloneURL returns HTTPS clone URL based on given owner and repository name.
 func ComposeHTTPSCloneURL(owner, repo string) string {
-	return fmt.Sprintf("%s%s/%s.git", setting.AppURL, url.QueryEscape(owner), url.QueryEscape(repo))
+	return fmt.Sprintf("%s%s/%s.git", setting.AppURL, owner, repo)
 }
 func (repo *Repository) cloneLink(e Engine, isWiki bool) *CloneLink {
@@ -1346,27 +1345,26 @@ func createRepository(e *xorm.Session, doer, u *User, repo *Repository) (err err
 	if err = watchRepo(e, doer.ID, repo.ID, true); err != nil {
 		return fmt.Errorf("watchRepo: %v", err)
-	} else if err = newRepoAction(e, doer, repo); err != nil {
+	} else if err = newRepoAction(e, u, repo); err != nil {
 		return fmt.Errorf("newRepoAction: %v", err)
 	}
 	return nil
 }
-// CreateRepository creates a repository for the user/organization.
+// CreateRepository creates a repository for the user/organization u.
 func CreateRepository(doer, u *User, opts CreateRepoOptions) (_ *Repository, err error) {
 	if !doer.IsAdmin && !u.CanCreateRepo() {
 		return nil, ErrReachLimitOfRepo{u.MaxRepoCreation}
 	}
 	repo := &Repository{
-		OwnerID:       u.ID,
+		OwnerID:     u.ID,
-		Owner:         u,
+		Owner:       u,
-		Name:          opts.Name,
+		Name:        opts.Name,
-		LowerName:     strings.ToLower(opts.Name),
+		LowerName:   strings.ToLower(opts.Name),
-		Description:   opts.Description,
+		Description: opts.Description,
-		IsPrivate:     opts.IsPrivate,
+		IsPrivate:   opts.IsPrivate,
 		IsFsckEnabled: true,
 	}
 	sess := x.NewSession()
@@ -1743,17 +1741,6 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 		return ErrRepoNotExist{repoID, uid, "", ""}
 	}
 	// Delete Deploy Keys
 	deployKeys, err := listDeployKeys(sess, repo.ID)
 	if err != nil {
 		return fmt.Errorf("listDeployKeys: %v", err)
 	}
 	for _, dKey := range deployKeys {
 		if err := deleteDeployKey(sess, doer, dKey.ID); err != nil {
 			return fmt.Errorf("deleteDeployKeys: %v", err)
 		}
 	}
 	if cnt, err := sess.ID(repoID).Delete(&Repository{}); err != nil {
 		return err
 	} else if cnt != 1 {
@@ -1785,7 +1772,6 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 		&Webhook{RepoID: repoID},
 		&HookTask{RepoID: repoID},
 		&Notification{RepoID: repoID},
 		&CommitStatus{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %v", err)
 	}
@@ -1896,12 +1882,6 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 	}
 	if err = sess.Commit(); err != nil {
 		if len(deployKeys) > 0 {
 			// We need to rewrite the public keys because the commit failed
 			if err2 := RewriteAllPublicKeys(); err2 != nil {
 				return fmt.Errorf("Commit: %v SSH Keys: %v", err, err2)
 			}
 		}
 		return fmt.Errorf("Commit: %v", err)
 	}
--- a/models/repo_permission.go
+++ b/models/repo_permission.go
@@ -151,15 +151,6 @@ func getUserRepoPermission(e Engine, repo *Repository, user *User) (perm Permiss
 		return
 	}
 	// if user in an owner team
 	for _, team := range teams {
 		if team.Authorize >= AccessModeOwner {
 			perm.AccessMode = AccessModeOwner
 			perm.UnitsMode = nil
 			return
 		}
 	}
 	for _, u := range repo.Units {
 		var found bool
 		for _, team := range teams {
--- a/models/repo_permission_test.go
+++ b/models/repo_permission_test.go
@@ -219,17 +219,6 @@ func TestRepoPermissionPrivateOrgRepo(t *testing.T) {
 		assert.True(t, perm.CanWrite(unit.Type))
 	}
 	// update team information and then check permission
 	team := AssertExistsAndLoadBean(t, &Team{ID: 5}).(*Team)
 	err = UpdateTeamUnits(team, nil)
 	assert.NoError(t, err)
 	perm, err = GetUserRepoPermission(repo, owner)
 	assert.NoError(t, err)
 	for _, unit := range repo.Units {
 		assert.True(t, perm.CanRead(unit.Type))
 		assert.True(t, perm.CanWrite(unit.Type))
 	}
 	// org member team tester
 	tester := AssertExistsAndLoadBean(t, &User{ID: 2}).(*User)
 	perm, err = GetUserRepoPermission(repo, tester)
--- a/models/repo_watch.go
+++ b/models/repo_watch.go
@@ -113,15 +113,15 @@ func notifyWatchers(e Engine, act *Action) error {
 		switch act.OpType {
 		case ActionCommitRepo, ActionPushTag, ActionDeleteTag, ActionDeleteBranch:
-			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypeCode) {
+			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypeCode) {
 				continue
 			}
 		case ActionCreateIssue, ActionCommentIssue, ActionCloseIssue, ActionReopenIssue:
-			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypeIssues) {
+			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypeIssues) {
 				continue
 			}
 		case ActionCreatePullRequest, ActionMergePullRequest, ActionClosePullRequest, ActionReopenPullRequest:
-			if !act.Repo.checkUnitUser(e, act.UserID, false, UnitTypePullRequests) {
+			if !act.Repo.CheckUnitUser(act.UserID, false, UnitTypePullRequests) {
 				continue
 			}
 		}
--- a/models/ssh_key.go
+++ b/models/ssh_key.go
@@ -51,7 +51,7 @@ type PublicKey struct {
 	ID            int64      `xorm:"pk autoincr"`
 	OwnerID       int64      `xorm:"INDEX NOT NULL"`
 	Name          string     `xorm:"NOT NULL"`
-	Fingerprint   string     `xorm:"INDEX NOT NULL"`
+	Fingerprint   string     `xorm:"NOT NULL"`
 	Content       string     `xorm:"TEXT NOT NULL"`
 	Mode          AccessMode `xorm:"NOT NULL DEFAULT 2"`
 	Type          KeyType    `xorm:"NOT NULL DEFAULT 1"`
@@ -350,6 +350,7 @@ func appendAuthorizedKeysToFile(keys ...*PublicKey) error {
 func checkKeyFingerprint(e Engine, fingerprint string) error {
 	has, err := e.Get(&PublicKey{
 		Fingerprint: fingerprint,
 		Type:        KeyTypeUser,
 	})
 	if err != nil {
 		return err
@@ -400,18 +401,12 @@ func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*Pu
 		return nil, err
 	}
-	sess := x.NewSession()
+	if err := checkKeyFingerprint(x, fingerprint); err != nil {
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return nil, err
 	}
 	if err := checkKeyFingerprint(sess, fingerprint); err != nil {
 		return nil, err
 	}
 	// Key name of same user cannot be duplicated.
-	has, err := sess.
+	has, err := x.
 		Where("owner_id = ? AND name = ?", ownerID, name).
 		Get(new(PublicKey))
 	if err != nil {
@@ -420,6 +415,12 @@ func AddPublicKey(ownerID int64, name, content string, LoginSourceID int64) (*Pu
 		return nil, ErrKeyNameAlreadyUsed{ownerID, name}
 	}
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return nil, err
 	}
 	key := &PublicKey{
 		OwnerID:       ownerID,
 		Name:          name,
@@ -518,7 +519,7 @@ func UpdatePublicKeyUpdated(id int64) error {
 }
 // deletePublicKeys does the actual key deletion but does not update authorized_keys file.
-func deletePublicKeys(e Engine, keyIDs ...int64) error {
+func deletePublicKeys(e *xorm.Session, keyIDs ...int64) error {
 	if len(keyIDs) == 0 {
 		return nil
 	}
@@ -727,28 +728,24 @@ func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey
 		accessMode = AccessModeWrite
 	}
 	pkey := &PublicKey{
 		Fingerprint: fingerprint,
 		Mode:        accessMode,
 		Type:        KeyTypeDeploy,
 	}
 	has, err := x.Get(pkey)
 	if err != nil {
 		return nil, err
 	}
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return nil, err
 	}
-	pkey := &PublicKey{
+	// First time use this deploy key.
-		Fingerprint: fingerprint,
+	if !has {
 	}
 	has, err := sess.Get(pkey)
 	if err != nil {
 		return nil, err
 	}
 	if has {
 		if pkey.Type != KeyTypeDeploy {
 			return nil, ErrKeyAlreadyExist{0, fingerprint, ""}
 		}
 	} else {
 		// First time use this deploy key.
 		pkey.Mode = accessMode
 		pkey.Type = KeyTypeDeploy
 		pkey.Content = content
 		pkey.Name = name
 		if err = addKey(sess, pkey); err != nil {
@@ -766,12 +763,8 @@ func AddDeployKey(repoID int64, name, content string, readOnly bool) (*DeployKey
 // GetDeployKeyByID returns deploy key by given ID.
 func GetDeployKeyByID(id int64) (*DeployKey, error) {
 	return getDeployKeyByID(x, id)
 }
 func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) {
 	key := new(DeployKey)
-	has, err := e.ID(id).Get(key)
+	has, err := x.ID(id).Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -782,15 +775,11 @@ func getDeployKeyByID(e Engine, id int64) (*DeployKey, error) {
 // GetDeployKeyByRepo returns deploy key by given public key ID and repository ID.
 func GetDeployKeyByRepo(keyID, repoID int64) (*DeployKey, error) {
 	return getDeployKeyByRepo(x, keyID, repoID)
 }
 func getDeployKeyByRepo(e Engine, keyID, repoID int64) (*DeployKey, error) {
 	key := &DeployKey{
 		KeyID:  keyID,
 		RepoID: repoID,
 	}
-	has, err := e.Get(key)
+	has, err := x.Get(key)
 	if err != nil {
 		return nil, err
 	} else if !has {
@@ -813,19 +802,7 @@ func UpdateDeployKey(key *DeployKey) error {
 // DeleteDeployKey deletes deploy key from its repository authorized_keys file if needed.
 func DeleteDeployKey(doer *User, id int64) error {
-	sess := x.NewSession()
+	key, err := GetDeployKeyByID(id)
 	defer sess.Close()
 	if err := sess.Begin(); err != nil {
 		return err
 	}
 	if err := deleteDeployKey(sess, doer, id); err != nil {
 		return err
 	}
 	return sess.Commit()
 }
 func deleteDeployKey(sess Engine, doer *User, id int64) error {
 	key, err := getDeployKeyByID(sess, id)
 	if err != nil {
 		if IsErrDeployKeyNotExist(err) {
 			return nil
@@ -835,11 +812,11 @@ func deleteDeployKey(sess Engine, doer *User, id int64) error {
 	// Check if user has access to delete this key.
 	if !doer.IsAdmin {
-		repo, err := getRepositoryByID(sess, key.RepoID)
+		repo, err := GetRepositoryByID(key.RepoID)
 		if err != nil {
 			return fmt.Errorf("GetRepositoryByID: %v", err)
 		}
-		has, err := isUserRepoAdmin(sess, repo, doer)
+		has, err := IsUserRepoAdmin(repo, doer)
 		if err != nil {
 			return fmt.Errorf("GetUserRepoPermission: %v", err)
 		} else if !has {
@@ -847,6 +824,12 @@ func deleteDeployKey(sess Engine, doer *User, id int64) error {
 		}
 	}
 	sess := x.NewSession()
 	defer sess.Close()
 	if err = sess.Begin(); err != nil {
 		return err
 	}
 	if _, err = sess.ID(key.ID).Delete(new(DeployKey)); err != nil {
 		return fmt.Errorf("delete deploy key [%d]: %v", key.ID, err)
 	}
@@ -861,24 +844,15 @@ func deleteDeployKey(sess Engine, doer *User, id int64) error {
 		if err = deletePublicKeys(sess, key.KeyID); err != nil {
 			return err
 		}
 		// after deleted the public keys, should rewrite the public keys file
 		if err = rewriteAllPublicKeys(sess); err != nil {
 			return err
 		}
 	}
-	return nil
+	return sess.Commit()
 }
 // ListDeployKeys returns all deploy keys by given repository ID.
 func ListDeployKeys(repoID int64) ([]*DeployKey, error) {
 	return listDeployKeys(x, repoID)
 }
 func listDeployKeys(e Engine, repoID int64) ([]*DeployKey, error) {
 	keys := make([]*DeployKey, 0, 5)
-	return keys, e.
+	return keys, x.
 		Where("repo_id = ?", repoID).
 		Find(&keys)
 }
--- a/models/user.go
+++ b/models/user.go
@@ -1461,12 +1461,9 @@ func synchronizeLdapSSHPublicKeys(usr *User, s *LoginSource, SSHPublicKeys []str
 	// Get Public Keys from LDAP and skip duplicate keys
 	var ldapKeys []string
 	for _, v := range SSHPublicKeys {
-		sshKeySplit := strings.Split(v, " ")
+		ldapKey := strings.Join(strings.Split(v, " ")[:2], " ")
-		if len(sshKeySplit) > 1 {
+		if !util.ExistsInSlice(ldapKey, ldapKeys) {
-			ldapKey := strings.Join(sshKeySplit[:2], " ")
+			ldapKeys = append(ldapKeys, ldapKey)
 			if !util.ExistsInSlice(ldapKey, ldapKeys) {
 				ldapKeys = append(ldapKeys, ldapKey)
 			}
 		}
 	}
--- a/models/user_heatmap.go
+++ b/models/user_heatmap.go
@@ -32,22 +32,12 @@ func GetUserHeatmapDataByUser(user *User) ([]*UserHeatmapData, error) {
 		groupByName = groupBy
 	}
-	sess := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
+	err := x.Select(groupBy+" AS timestamp, count(user_id) as contributions").
 		Table("action").
 		Where("user_id = ?", user.ID).
-		And("created_unix > ?", (util.TimeStampNow() - 31536000))
+		And("created_unix > ?", (util.TimeStampNow() - 31536000)).
-
+		GroupBy(groupByName).
 	// * Heatmaps for individual users only include actions that the user themself
 	//   did.
 	// * For organizations actions by all users that were made in owned
 	//   repositories are counted.
 	if user.Type == UserTypeIndividual {
 		sess = sess.And("act_user_id = ?", user.ID)
 	}
 	err := sess.GroupBy(groupByName).
 		OrderBy("timestamp").
 		Find(&hdata)
 	return hdata, err
 }
--- a/models/webhook_dingtalk.go
+++ b/models/webhook_dingtalk.go
@@ -230,13 +230,12 @@ func getDingtalkPullRequestPayload(p *api.PullRequestPayload) (*DingtalkPayload,
 		title = fmt.Sprintf("[%s] Pull request edited: #%d %s", p.Repository.FullName, p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 	case api.HookIssueAssigned:
-		list := make([]string, len(p.PullRequest.Assignees))
+		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		for i, user := range p.PullRequest.Assignees {
+		if err != nil {
-			list[i] = user.UserName
+			return &DingtalkPayload{}, err
 		}
 		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d %s", p.Repository.FullName,
-			strings.Join(list, ", "),
+			list, p.Index, p.PullRequest.Title)
 			p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 	case api.HookIssueUnassigned:
 		title = fmt.Sprintf("[%s] Pull request unassigned: #%d %s", p.Repository.FullName, p.Index, p.PullRequest.Title)
--- a/models/webhook_discord.go
+++ b/models/webhook_discord.go
@@ -347,13 +347,12 @@ func getDiscordPullRequestPayload(p *api.PullRequestPayload, meta *DiscordMeta)
 		text = p.PullRequest.Body
 		color = warnColor
 	case api.HookIssueAssigned:
-		list := make([]string, len(p.PullRequest.Assignees))
+		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		for i, user := range p.PullRequest.Assignees {
+		if err != nil {
-			list[i] = user.UserName
+			return &DiscordPayload{}, err
 		}
-		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d by %s", p.Repository.FullName,
+		title = fmt.Sprintf("[%s] Pull request assigned to %s: #%d %s", p.Repository.FullName,
-			strings.Join(list, ", "),
+			list, p.Index, p.PullRequest.Title)
 			p.Index, p.PullRequest.Title)
 		text = p.PullRequest.Body
 		color = successColor
 	case api.HookIssueUnassigned:
--- a/models/webhook_slack.go
+++ b/models/webhook_slack.go
@@ -160,10 +160,6 @@ func getSlackIssuesPayload(p *api.IssuePayload, slack *SlackMeta) (*SlackPayload
 		text = fmt.Sprintf("[%s] Issue labels cleared: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueSynchronized:
 		text = fmt.Sprintf("[%s] Issue synchronized: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueMilestoned:
 		text = fmt.Sprintf("[%s] Issue milestoned: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueDemilestoned:
 		text = fmt.Sprintf("[%s] Issue milestone cleared: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	}
 	return &SlackPayload{
@@ -301,12 +297,12 @@ func getSlackPullRequestPayload(p *api.PullRequestPayload, slack *SlackMeta) (*S
 		text = fmt.Sprintf("[%s] Pull request edited: %s by %s", p.Repository.FullName, titleLink, senderLink)
 		attachmentText = SlackTextFormatter(p.PullRequest.Body)
 	case api.HookIssueAssigned:
-		list := make([]string, len(p.PullRequest.Assignees))
+		list, err := MakeAssigneeList(&Issue{ID: p.PullRequest.ID})
-		for i, user := range p.PullRequest.Assignees {
+		if err != nil {
-			list[i] = SlackLinkFormatter(setting.AppURL+user.UserName, user.UserName)
+			return &SlackPayload{}, err
 		}
 		text = fmt.Sprintf("[%s] Pull request assigned to %s: %s by %s", p.Repository.FullName,
-			strings.Join(list, ", "),
+			SlackLinkFormatter(setting.AppURL+list, list),
 			titleLink, senderLink)
 	case api.HookIssueUnassigned:
 		text = fmt.Sprintf("[%s] Pull request unassigned: %s by %s", p.Repository.FullName, titleLink, senderLink)
@@ -316,10 +312,6 @@ func getSlackPullRequestPayload(p *api.PullRequestPayload, slack *SlackMeta) (*S
 		text = fmt.Sprintf("[%s] Pull request labels cleared: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueSynchronized:
 		text = fmt.Sprintf("[%s] Pull request synchronized: %s by %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueMilestoned:
 		text = fmt.Sprintf("[%s] Pull request milestoned: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	case api.HookIssueDemilestoned:
 		text = fmt.Sprintf("[%s] Pull request milestone cleared: #%s %s", p.Repository.FullName, titleLink, senderLink)
 	}
 	return &SlackPayload{
--- a/modules/auth/auth.go
+++ b/modules/auth/auth.go
@@ -135,56 +135,15 @@ func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool)
 	if len(baHead) > 0 {
 		auths := strings.Fields(baHead)
 		if len(auths) == 2 && auths[0] == "Basic" {
 			var u *models.User
 			uname, passwd, _ := base.BasicAuthDecode(auths[1])
-			// Check if username or password is a token
+			u, err := models.UserSignIn(uname, passwd)
-			isUsernameToken := len(passwd) == 0 || passwd == "x-oauth-basic"
+			if err != nil {
-			// Assume username is token
+				if !models.IsErrUserNotExist(err) {
-			authToken := uname
+					log.Error(4, "UserSignIn: %v", err)
-			if !isUsernameToken {
+				}
-				// Assume password is token
+				return nil, false
 				authToken = passwd
 			}
 			token, err := models.GetAccessTokenBySHA(authToken)
 			if err == nil {
 				if isUsernameToken {
 					u, err = models.GetUserByID(token.UID)
 					if err != nil {
 						log.Error(4, "GetUserByID:  %v", err)
 						return nil, false
 					}
 				} else {
 					u, err = models.GetUserByName(uname)
 					if err != nil {
 						log.Error(4, "GetUserByID:  %v", err)
 						return nil, false
 					}
 					if u.ID != token.UID {
 						return nil, false
 					}
 				}
 				token.UpdatedUnix = util.TimeStampNow()
 				if err = models.UpdateAccessToken(token); err != nil {
 					log.Error(4, "UpdateAccessToken:  %v", err)
 				}
 			} else {
 				if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
 					log.Error(4, "GetAccessTokenBySha: %v", err)
 				}
 			}
 			if u == nil {
 				u, err = models.UserSignIn(uname, passwd)
 				if err != nil {
 					if !models.IsErrUserNotExist(err) {
 						log.Error(4, "UserSignIn: %v", err)
 					}
 					return nil, false
 				}
 			}
 			ctx.Data["IsApiToken"] = true
 			return u, true
 		}
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -11,9 +11,9 @@ import (
 	"fmt"
 	"strings"
-	"code.gitea.io/gitea/modules/log"
+	"gopkg.in/ldap.v2"
-	ldap "gopkg.in/ldap.v3"
+	"code.gitea.io/gitea/modules/log"
 )
 // SecurityProtocol protocol type
@@ -247,17 +247,11 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		return nil
 	}
 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
 	if isAttributeSSHPublicKeySet {
 		attribs = append(attribs, ls.AttributeSSHPublicKey)
 	}
 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, userDN)
 	search := ldap.NewSearchRequest(
 		userDN, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
-		attribs, nil)
+		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey},
 		nil)
 	sr, err := l.Search(search)
 	if err != nil {
@@ -273,15 +267,11 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		return nil
 	}
 	var sshPublicKey []string
 	username := sr.Entries[0].GetAttributeValue(ls.AttributeUsername)
 	firstname := sr.Entries[0].GetAttributeValue(ls.AttributeName)
 	surname := sr.Entries[0].GetAttributeValue(ls.AttributeSurname)
 	mail := sr.Entries[0].GetAttributeValue(ls.AttributeMail)
-	if isAttributeSSHPublicKeySet {
+	sshPublicKey := sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)
 		sshPublicKey = sr.Entries[0].GetAttributeValues(ls.AttributeSSHPublicKey)
 	}
 	isAdmin := checkAdmin(l, ls, userDN)
 	if !directBind && ls.AttributesInBind {
@@ -330,17 +320,11 @@ func (ls *Source) SearchEntries() []*SearchResult {
 	userFilter := fmt.Sprintf(ls.Filter, "*")
 	var isAttributeSSHPublicKeySet = len(strings.TrimSpace(ls.AttributeSSHPublicKey)) > 0
 	attribs := []string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail}
 	if isAttributeSSHPublicKeySet {
 		attribs = append(attribs, ls.AttributeSSHPublicKey)
 	}
 	log.Trace("Fetching attributes '%v', '%v', '%v', '%v', '%v' with filter %s and base %s", ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey, userFilter, ls.UserBase)
 	search := ldap.NewSearchRequest(
 		ls.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false, userFilter,
-		attribs, nil)
+		[]string{ls.AttributeUsername, ls.AttributeName, ls.AttributeSurname, ls.AttributeMail, ls.AttributeSSHPublicKey},
 		nil)
 	var sr *ldap.SearchResult
 	if ls.UsePagedSearch() {
@@ -357,14 +341,12 @@ func (ls *Source) SearchEntries() []*SearchResult {
 	for i, v := range sr.Entries {
 		result[i] = &SearchResult{
-			Username: v.GetAttributeValue(ls.AttributeUsername),
+			Username:     v.GetAttributeValue(ls.AttributeUsername),
-			Name:     v.GetAttributeValue(ls.AttributeName),
+			Name:         v.GetAttributeValue(ls.AttributeName),
-			Surname:  v.GetAttributeValue(ls.AttributeSurname),
+			Surname:      v.GetAttributeValue(ls.AttributeSurname),
-			Mail:     v.GetAttributeValue(ls.AttributeMail),
+			Mail:         v.GetAttributeValue(ls.AttributeMail),
-			IsAdmin:  checkAdmin(l, ls, v.DN),
+			SSHPublicKey: v.GetAttributeValues(ls.AttributeSSHPublicKey),
-		}
+			IsAdmin:      checkAdmin(l, ls, v.DN),
 		if isAttributeSSHPublicKeySet {
 			result[i].SSHPublicKey = v.GetAttributeValues(ls.AttributeSSHPublicKey)
 		}
 	}
--- a/modules/context/auth.go
+++ b/modules/context/auth.go
@@ -8,7 +8,6 @@ import (
 	"net/url"
 	"code.gitea.io/gitea/modules/auth"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/setting"
 	"github.com/go-macaron/csrf"
 	macaron "gopkg.in/macaron.v1"
@@ -33,12 +32,8 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 		// Check prohibit login users.
 		if ctx.IsSigned {
-			if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
+
-				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
+			if ctx.User.ProhibitLogin {
 				ctx.HTML(200, "user/auth/activate")
 				return
 			} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
 				log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 				ctx.HTML(200, "user/auth/prohibit_login")
 				return
@@ -47,7 +42,7 @@ func Toggle(options *ToggleOptions) macaron.Handler {
 			// prevent infinite redirection
 			// also make sure that the form cannot be accessed by
 			// users who don't need this
-			if ctx.Req.URL.Path == "/user/settings/change_password" {
+			if ctx.Req.URL.Path == setting.AppSubURL+"/user/settings/change_password" {
 				if !ctx.User.MustChangePassword {
 					ctx.Redirect(setting.AppSubURL + "/")
 				}
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -209,7 +209,7 @@ func Contexter() macaron.Handler {
 			if err == nil && len(repo.DefaultBranch) > 0 {
 				branchName = repo.DefaultBranch
 			}
-			prefix := setting.AppURL + path.Join(url.QueryEscape(ownerName), url.QueryEscape(repoName), "src", "branch", branchName)
+			prefix := setting.AppURL + path.Join(ownerName, repoName, "src", "branch", branchName)
 			c.Header().Set("Content-Type", "text/html")
 			c.WriteHeader(http.StatusOK)
 			c.Write([]byte(com.Expand(`<!doctype html>
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@@ -8,7 +8,6 @@ package context
 import (
 	"fmt"
 	"io/ioutil"
 	"net/url"
 	"path"
 	"strings"
@@ -163,7 +162,7 @@ func RetrieveBaseRepo(ctx *Context, repo *models.Repository) {
 // ComposeGoGetImport returns go-get-import meta content.
 func ComposeGoGetImport(owner, repo string) string {
-	return path.Join(setting.Domain, setting.AppSubURL, url.QueryEscape(owner), url.QueryEscape(repo))
+	return path.Join(setting.Domain, setting.AppSubURL, owner, repo)
 }
 // EarlyResponseForGoGetMeta responses appropriate go-get meta with status 200
--- a/modules/lfs/server.go
+++ b/modules/lfs/server.go
@@ -497,15 +497,12 @@ func authenticate(ctx *context.Context, repository *models.Repository, authoriza
 		accessMode = models.AccessModeWrite
 	}
 	// ctx.IsSigned is unnecessary here, this will be checked in perm.CanAccess
 	perm, err := models.GetUserRepoPermission(repository, ctx.User)
 	if err != nil {
 		return false
 	}
-
+	if ctx.IsSigned {
-	canRead := perm.CanAccess(accessMode, models.UnitTypeCode)
+		return perm.CanAccess(accessMode, models.UnitTypeCode)
 	if canRead {
 		return true
 	}
 	user, repo, opStr, err := parseToken(authorization)
@@ -585,7 +582,7 @@ func parseToken(authorization string) (*models.User, *models.Repository, string,
 		if err != nil {
 			return nil, nil, "basic", err
 		}
-		if !u.IsPasswordSet() || !u.ValidatePassword(password) {
+		if !u.ValidatePassword(password) {
 			return nil, nil, "basic", fmt.Errorf("Basic auth failed")
 		}
 		return u, nil, "basic", nil
--- a/modules/markup/orgmode/orgmode.go
+++ b/modules/markup/orgmode/orgmode.go
@@ -5,7 +5,6 @@
 package markup
 import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup"
 	"code.gitea.io/gitea/modules/markup/markdown"
@@ -32,13 +31,7 @@ func (Parser) Extensions() []string {
 }
 // Render renders orgmode rawbytes to HTML
-func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki bool) (result []byte) {
+func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki bool) []byte {
 	defer func() {
 		if err := recover(); err != nil {
 			log.Error(4, "Panic in orgmode.Render: %v Just returning the rawBytes", err)
 			result = rawBytes
 		}
 	}()
 	htmlFlags := blackfriday.HTML_USE_XHTML
 	htmlFlags |= blackfriday.HTML_SKIP_STYLE
 	htmlFlags |= blackfriday.HTML_OMIT_CONTENTS
@@ -47,8 +40,9 @@ func Render(rawBytes []byte, urlPrefix string, metas map[string]string, isWiki b
 		URLPrefix: urlPrefix,
 		IsWiki:    isWiki,
 	}
-	result = goorgeous.Org(rawBytes, renderer)
+
-	return
+	result := goorgeous.Org(rawBytes, renderer)
 	return result
 }
 // RenderString reners orgmode string to HTML string
--- a/modules/private/internal.go
+++ b/modules/private/internal.go
@@ -39,7 +39,6 @@ func decodeJSONError(resp *http.Response) *Response {
 func newInternalRequest(url, method string) *httplib.Request {
 	req := newRequest(url, method).SetTLSClientConfig(&tls.Config{
 		InsecureSkipVerify: true,
 		ServerName:         setting.Domain,
 	})
 	if setting.Protocol == setting.UnixSocket {
 		req.SetTransport(&http.Transport{
--- a/modules/private/key.go
+++ b/modules/private/key.go
@@ -32,31 +32,6 @@ func UpdateDeployKeyUpdated(keyID int64, repoID int64) error {
 	return nil
 }
 // GetDeployKey check if repo has deploy key
 func GetDeployKey(keyID, repoID int64) (*models.DeployKey, error) {
 	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/repositories/%d/keys/%d", repoID, keyID)
 	log.GitLogger.Trace("GetDeployKey: %s", reqURL)
 	resp, err := newInternalRequest(reqURL, "GET").Response()
 	if err != nil {
 		return nil, err
 	}
 	defer resp.Body.Close()
 	switch resp.StatusCode {
 	case 404:
 		return nil, nil
 	case 200:
 		var dKey models.DeployKey
 		if err := json.NewDecoder(resp.Body).Decode(&dKey); err != nil {
 			return nil, err
 		}
 		return &dKey, nil
 	default:
 		return nil, fmt.Errorf("Failed to get deploy key: %s", decodeJSONError(resp).Err)
 	}
 }
 // HasDeployKey check if repo has deploy key
 func HasDeployKey(keyID, repoID int64) (bool, error) {
 	reqURL := setting.LocalURL + fmt.Sprintf("api/internal/repositories/%d/has-keys/%d", repoID, keyID)
--- a/modules/public/public.go
+++ b/modules/public/public.go
@@ -117,7 +117,7 @@ func (opts *Options) handle(ctx *macaron.Context, log *log.Logger, opt *Options)
 	if fi.IsDir() {
 		// Redirect if missing trailing slash.
 		if !strings.HasSuffix(ctx.Req.URL.Path, "/") {
-			http.Redirect(ctx.Resp, ctx.Req.Request, path.Clean(ctx.Req.URL.Path+"/"), http.StatusFound)
+			http.Redirect(ctx.Resp, ctx.Req.Request, ctx.Req.URL.Path+"/", http.StatusFound)
 			return true
 		}
--- a/modules/util/util.go
+++ b/modules/util/util.go
@@ -98,8 +98,3 @@ func Min(a, b int) int {
 	}
 	return a
 }
 // IsEmptyString checks if the provided string is empty
 func IsEmptyString(s string) bool {
 	return len(strings.TrimSpace(s)) == 0
 }
--- a/modules/util/util_test.go
+++ b/modules/util/util_test.go
@@ -77,20 +77,3 @@ func TestIsExternalURL(t *testing.T) {
 		assert.Equal(t, test.Expected, IsExternalURL(test.RawURL))
 	}
 }
 func TestIsEmptyString(t *testing.T) {
 	cases := []struct {
 		s        string
 		expected bool
 	}{
 		{"", true},
 		{" ", true},
 		{"   ", true},
 		{"  a", false},
 	}
 	for _, v := range cases {
 		assert.Equal(t, v.expected, IsEmptyString(v.s))
 	}
 }
--- a/options/locale/locale_en-US.ini
+++ b/options/locale/locale_en-US.ini
@@ -413,7 +413,7 @@ ssh_helper = <strong>Need help?</strong> Have a look at GitHub's guide to <a hre
 gpg_helper = <strong>Need help?</strong> Have a look at GitHub's guide <a href="%s">about GPG</a>.
 add_new_key = Add SSH Key
 add_new_gpg_key = Add GPG Key
-ssh_key_been_used = This SSH key has already been added to the server.
+ssh_key_been_used = This SSH key is already added to your account.
 ssh_key_name_used = An SSH key with same name is already added to your account.
 gpg_key_id_used = A public GPG key with same ID already exists.
 gpg_no_key_email_found = This GPG key is not usable with any email address associated with your account.
@@ -655,7 +655,6 @@ ext_issues.desc = Link to an external issue tracker.
 issues.desc = Organize bug reports, tasks and milestones.
 issues.new = New Issue
 issues.new.title_empty = Title cannot be empty
 issues.new.labels = Labels
 issues.new.no_label = No Label
 issues.new.clear_labels = Clear labels
--- a/options/locale/locale_lv-LV.ini
+++ b/options/locale/locale_lv-LV.ini
@@ -859,7 +859,6 @@ pulls.title_wip_desc=`<a href="#">Sāciet virsrakstu ar <strong>%s</strong></a>,
 pulls.cannot_merge_work_in_progress=Šis izmaiņu pieprasījums ir atzīmēts, ka pie tā vēl notiek izstrāde. Noņemiet <strong>%s</strong> no virsraksta sākuma, kad tas ir pabeigts.
 pulls.data_broken=Izmaiņu pieprasījums ir bojāts, jo dzēsta informācija no atdalītā repozitorija.
 pulls.is_checking=Notiek konfliktu pārbaude, mirkli uzgaidiet un atjaunojiet lapu.
 pulls.blocked_by_approvals=Šim izmaiņu pieprasījumam nav nepieciešamais apstiprinājumu daudzums. %d no %d apstiprinājumi piešķirti.
 pulls.can_auto_merge_desc=Šo izmaiņu pieprasījumu var automātiski sapludināt.
 pulls.cannot_auto_merge_desc=Šis izmaiņu pieprasījums nevar tikt automātiski sapludināts konfliktu dēļ.
 pulls.cannot_auto_merge_helper=Sapludiniet manuāli, lai atrisinātu konfliktus.
@@ -868,7 +867,6 @@ pulls.no_merge_helper=Lai sapludinātu šo izmaiņu pieprasījumu, iespējojiet
 pulls.no_merge_wip=Šo izmaiņu pieprasījumu nav iespējams sapludināt, jo tas ir atzīmēts, ka darbs pie tā vēl nav pabeigts.
 pulls.merge_pull_request=Izmaiņu pieprasījuma sapludināšana
 pulls.rebase_merge_pull_request=Pārbāzēt un sapludināt
 pulls.rebase_merge_commit_pull_request=Pārbāzēt un sapludināt (--no-ff)
 pulls.squash_merge_pull_request=Saspiest un sapludināt
 pulls.invalid_merge_option=Nav iespējams izmantot šādu sapludināšanas veidu šim izmaiņu pieprasījumam.
 pulls.open_unmerged_pull_exists=`Jūs nevarat veikt atkārtotas atvēršanas darbību, jo jau eksistē izmaiņu pieprasījums (#%d) ar šādu sapludināšanas informāciju.`
@@ -1014,7 +1012,6 @@ settings.pulls_desc=Iespējot repozitorija izmaiņu pieprasījumus
 settings.pulls.ignore_whitespace=Pārbaudot konfliktus, ignorēt izmaiņas atstarpēs
 settings.pulls.allow_merge_commits=Iespējot revīziju sapludināšanu
 settings.pulls.allow_rebase_merge=Iespējot pārbāzēšanu sapludinot revīzijas
 settings.pulls.allow_rebase_merge_commit=Iespējot pārbāzēšanu sapludinot revīzijas (--no-ff)
 settings.pulls.allow_squash_commits=Iespējot saspiešanu sapludinot revīzijas
 settings.admin_settings=Administratora iestatījumi
 settings.admin_enable_health_check=Iespējot veselības pārbaudi (git fsck) šim repozitorijam
@@ -1101,7 +1098,6 @@ settings.event_issue_comment_desc=Problēmas komentārs pievienots, labots vai d
 settings.event_release=Laidiens
 settings.event_release_desc=Publicēts, atjaunots vai dzēsts laidiens repozitorijā.
 settings.event_pull_request=Izmaiņu pieprasījums
 settings.event_pull_request_desc=Izmaiņu pieprasījums izveidots, slēgts, atkārtoti atvērts, labots, apstiprināts, noraidīts, recenzēts, piešķirts, pievienots vai noņemts atbildīgais, pievienota etiķete, noņemta etiķete, pievienots vai noņemts atskaites punkts.
 settings.event_push=Izmaiņu nosūtīšana
 settings.event_push_desc=Git izmaiņu nosūtīšana uz repozitoriju.
 settings.event_repository=Repozitorijs
@@ -1152,10 +1148,6 @@ settings.protect_merge_whitelist_committers=Iespējot sapludināšanas ierobežo
 settings.protect_merge_whitelist_committers_desc=Atļaut tikai noteiktiem lietotājiem vai komandām sapludināt izmaiņu pieprasījumus šajā atzarā.
 settings.protect_merge_whitelist_users=Lietotāji, kas var veikt izmaiņu sapludināšanu:
 settings.protect_merge_whitelist_teams=Komandas, kas var veikt izmaiņu sapludināšanu:
 settings.protect_required_approvals=Vajadzīgi apstiprinājumi:
 settings.protect_required_approvals_desc=Atļaut tikai noteiktiem lietotājiem vai komandām sapludināt izmaiņu pieprasījumu, kam veikts noteikts daudzums pozitīvu recenziju.
 settings.protect_approvals_whitelist_users=Lietotāji, kas var veikt recenzijas:
 settings.protect_approvals_whitelist_teams=Komandas, kas var veikt recenzijas:
 settings.add_protected_branch=Iespējot aizsargāšanu
 settings.delete_protected_branch=Atspējot aizsargāšanu
 settings.update_protect_branch_success=Atzara aizsardzība atzaram '%s' tika saglabāta.
@@ -1166,7 +1158,6 @@ settings.default_branch_desc=Norādiet noklusēto repozitorija atzaru izmaiņu p
 settings.choose_branch=Izvēlieties atzaru…
 settings.no_protected_branch=Nav neviena aizsargātā atzara.
 settings.edit_protected_branch=Labot
 settings.protected_branch_required_approvals_min=Pieprasīto recenziju skaits nevar būt negatīvs.
 diff.browse_source=Pārlūkot izejas kodu
 diff.parent=vecāks
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -7,115 +7,6 @@ function htmlEncode(text) {
 var csrf;
 var suburl;
 // Polyfill for IE9+ support (https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/from)
 if (!Array.from) {
    Array.from = (function () {
        var toStr = Object.prototype.toString;
        var isCallable = function (fn) {
            return typeof fn === 'function' || toStr.call(fn) === '[object Function]';
        };
        var toInteger = function (value) {
            var number = Number(value);
            if (isNaN(number)) { return 0; }
            if (number === 0 || !isFinite(number)) { return number; }
            return (number > 0 ? 1 : -1) * Math.floor(Math.abs(number));
        };
        var maxSafeInteger = Math.pow(2, 53) - 1;
        var toLength = function (value) {
            var len = toInteger(value);
            return Math.min(Math.max(len, 0), maxSafeInteger);
        };
        // The length property of the from method is 1.
        return function from(arrayLike/*, mapFn, thisArg */) {
            // 1. Let C be the this value.
            var C = this;
            // 2. Let items be ToObject(arrayLike).
            var items = Object(arrayLike);
            // 3. ReturnIfAbrupt(items).
            if (arrayLike == null) {
                throw new TypeError("Array.from requires an array-like object - not null or undefined");
            }
            // 4. If mapfn is undefined, then let mapping be false.
            var mapFn = arguments.length > 1 ? arguments[1] : void undefined;
            var T;
            if (typeof mapFn !== 'undefined') {
                // 5. else
                // 5. a If IsCallable(mapfn) is false, throw a TypeError exception.
                if (!isCallable(mapFn)) {
                    throw new TypeError('Array.from: when provided, the second argument must be a function');
                }
                // 5. b. If thisArg was supplied, let T be thisArg; else let T be undefined.
                if (arguments.length > 2) {
                    T = arguments[2];
                }
            }
            // 10. Let lenValue be Get(items, "length").
            // 11. Let len be ToLength(lenValue).
            var len = toLength(items.length);
            // 13. If IsConstructor(C) is true, then
            // 13. a. Let A be the result of calling the [[Construct]] internal method of C with an argument list containing the single item len.
            // 14. a. Else, Let A be ArrayCreate(len).
            var A = isCallable(C) ? Object(new C(len)) : new Array(len);
            // 16. Let k be 0.
            var k = 0;
            // 17. Repeat, while k < len… (also steps a - h)
            var kValue;
            while (k < len) {
                kValue = items[k];
                if (mapFn) {
                    A[k] = typeof T === 'undefined' ? mapFn(kValue, k) : mapFn.call(T, kValue, k);
                } else {
                    A[k] = kValue;
                }
                k += 1;
            }
            // 18. Let putStatus be Put(A, "length", len, true).
            A.length = len;
            // 20. Return A.
            return A;
        };
    }());
 }
 // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign
 if (typeof Object.assign != 'function') {
    // Must be writable: true, enumerable: false, configurable: true
    Object.defineProperty(Object, "assign", {
        value: function assign(target, varArgs) { // .length of function is 2
            'use strict';
            if (target == null) { // TypeError if undefined or null
                throw new TypeError('Cannot convert undefined or null to object');
            }
            var to = Object(target);
            for (var index = 1; index < arguments.length; index++) {
                var nextSource = arguments[index];
                if (nextSource != null) { // Skip over if undefined or null
                    for (var nextKey in nextSource) {
                        // Avoid bugs when hasOwnProperty is shadowed
                        if (Object.prototype.hasOwnProperty.call(nextSource, nextKey)) {
                            to[nextKey] = nextSource[nextKey];
                        }
                    }
                }
            }
            return to;
        },
        writable: true,
        configurable: true
    });
 }
 function initCommentPreviewTab($form) {
    var $tabMenu = $form.find('.tabular.menu');
    $tabMenu.find('.item').tab();
@@ -2457,6 +2348,7 @@ function initHeatmap(appElementId, heatmapUser, locale) {
                this.getColor(4),
                this.getColor(5)
            ];
            console.log(this.colorRange);
            this.endDate = new Date();
            this.loadHeatmap(this.user);
        },
--- a/public/vendor/librejs.html
+++ b/public/vendor/librejs.html
@@ -48,7 +48,7 @@
        <tr>
          <td><a href="./plugins/vue/vue.min.js">vue.min.js</a></td>
          <td><a href="https://github.com/vuejs/vue/blob/dev/LICENSE">Expat</a></td>
-          <td><a href="https://github.com/vuejs/vue/archive/v2.6.6.tar.gz">vue.js-v2.6.6.tar.gz</a></td>
+          <td><a href="https://github.com/vuejs/vue/archive/v2.1.10.tar.gz">vue.js-v2.1.10.tar.gz</a></td>
        </tr>
        <tr>
          <td><a href="./plugins/emojify/emojify.min.js">emojify.min.js</a></td>
@@ -136,7 +136,7 @@
          <td><a href="https://github.com/swagger-api/swagger-ui/archive/v3.0.4.tar.gz">swagger-ui-v3.0.4.tar.gz</a></td>
        </tr>
        <tr>
-          <td><a href="./plugins/vue-calendar-heatmap/">vue-calendar-heatmap</a></td>
+          <td><a href="./plugins/vue-calendar-heatmap">vue-calendar-heatmap</a></td>
          <td><a href="https://github.com/WildCodeSchool/vue-calendar-heatmap/blob/master/README.md">MIT</a></td>
          <td><a href="https://github.com/WildCodeSchool/vue-calendar-heatmap/archive/master.zip">7f48b20.zip</a></td>
        </tr>
@@ -145,11 +145,6 @@
          <td><a href="https://github.com/moment/moment/blob/develop/LICENSE">MIT</a></td>
          <td><a href="https://github.com/moment/moment/archive/2.22.2.tar.gz">0.4.1.tar.gz</a></td>
        </tr>
        <tr>
          <td><a href="./plugins/es6-promise/">es6-promise</a></td>
          <td><a href="https://github.com/stefanpenner/es6-promise/blob/master/LICENSE">MIT</a></td>
          <td><a href="https://github.com/stefanpenner/es6-promise/archive/v4.2.6.tar.gz">4.2.6.tar.gz</a></td>
        </tr>
      </tbody>
    </table>
  </body>
--- a/public/vendor/plugins/es6-promise/es6-promise.auto.min.js
+++ b/public/vendor/plugins/es6-promise/es6-promise.auto.min.js
--- a/public/vendor/plugins/vue/vue.min.js
+++ b/public/vendor/plugins/vue/vue.min.js
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -85,7 +85,7 @@ func sudo() macaron.Handler {
 		}
 		if len(sudo) > 0 {
-			if ctx.IsSigned && ctx.User.IsAdmin {
+			if ctx.User.IsAdmin {
 				user, err := models.GetUserByName(sudo)
 				if err != nil {
 					if models.IsErrUserNotExist(err) {
--- a/routers/api/v1/repo/issue.go
+++ b/routers/api/v1/repo/issue.go
@@ -129,7 +129,7 @@ func GetIssue(ctx *context.APIContext) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Issue"
-	issue, err := models.GetIssueWithAttrsByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
+	issue, err := models.GetIssueByIndex(ctx.Repo.Repository.ID, ctx.ParamsInt64(":index"))
 	if err != nil {
 		if models.IsErrIssueNotExist(err) {
 			ctx.Status(404)
--- a/routers/api/v1/repo/issue_label.go
+++ b/routers/api/v1/repo/issue_label.go
@@ -51,11 +51,6 @@ func ListIssueLabels(ctx *context.APIContext) {
 		return
 	}
 	if err := issue.LoadAttributes(); err != nil {
 		ctx.Error(500, "LoadAttributes", err)
 		return
 	}
 	apiLabels := make([]*api.Label, len(issue.Labels))
 	for i := range issue.Labels {
 		apiLabels[i] = issue.Labels[i].APIFormat()
--- a/routers/api/v1/repo/key.go
+++ b/routers/api/v1/repo/key.go
@@ -159,8 +159,6 @@ func HandleCheckKeyStringError(ctx *context.APIContext, err error) {
 // HandleAddKeyError handle add key error
 func HandleAddKeyError(ctx *context.APIContext, err error) {
 	switch {
 	case models.IsErrDeployKeyAlreadyExist(err):
 		ctx.Error(422, "", "This key has already been added to this repository")
 	case models.IsErrKeyAlreadyExist(err):
 		ctx.Error(422, "", "Key content has been used as non-deploy key")
 	case models.IsErrKeyNameAlreadyUsed(err):
--- a/routers/api/v1/repo/pull.go
+++ b/routers/api/v1/repo/pull.go
@@ -668,8 +668,8 @@ func parseCompareInfo(ctx *context.APIContext, form api.CreatePullRequestOption)
 		ctx.ServerError("GetUserRepoPermission", err)
 		return nil, nil, nil, nil, "", ""
 	}
-	if !perm.CanReadIssuesOrPulls(true) {
+	if !perm.CanWrite(models.UnitTypeCode) {
-		log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID)
+		log.Trace("ParseCompareInfo[%d]: does not have write access or site admin", baseRepo.ID)
 		ctx.Status(404)
 		return nil, nil, nil, nil, "", ""
 	}
--- a/routers/api/v1/repo/repo.go
+++ b/routers/api/v1/repo/repo.go
@@ -400,11 +400,6 @@ func Migrate(ctx *context.APIContext, form auth.MigrateRepoForm) {
 		RemoteAddr:  remoteAddr,
 	})
 	if err != nil {
 		if models.IsErrRepoAlreadyExist(err) {
 			ctx.Error(409, "", "The repository with the same name already exists.")
 			return
 		}
 		err = util.URLSanitizedError(err, remoteAddr)
 		if repo != nil {
 			if errDelete := models.DeleteRepository(ctx.User, ctxUser.ID, repo.ID); errDelete != nil {
--- a/routers/api/v1/repo/tree.go
+++ b/routers/api/v1/repo/tree.go
@@ -16,30 +16,6 @@ import (
 // GetTree get the tree of a repository.
 func GetTree(ctx *context.APIContext) {
 	// swagger:operation GET /repos/{owner}/{repo}/git/trees/{sha} repository GetTree
 	// ---
 	// summary: Gets the tree of a repository.
 	// produces:
 	// - application/json
 	// parameters:
 	// - name: owner
 	//   in: path
 	//   description: owner of the repo
 	//   type: string
 	//   required: true
 	// - name: repo
 	//   in: path
 	//   description: name of the repo
 	//   type: string
 	//   required: true
 	// - name: sha
 	//   in: path
 	//   description: sha of the commit
 	//   type: string
 	//   required: true
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/GitTreeResponse"
 	sha := ctx.Params("sha")
 	if len(sha) == 0 {
 		ctx.Error(400, "sha not provided", nil)
--- a/routers/api/v1/swagger/repo.go
+++ b/routers/api/v1/swagger/repo.go
@@ -133,10 +133,3 @@ type swaggerResponseAttachment struct {
 	//in: body
 	Body api.Attachment `json:"body"`
 }
 // GitTreeResponse
 // swagger:response GitTreeResponse
 type swaggerGitTreeResponse struct {
 	//in: body
 	Body api.GitTreeResponse `json:"body"`
 }
--- a/routers/home.go
+++ b/routers/home.go
@@ -11,7 +11,6 @@ import (
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/base"
 	"code.gitea.io/gitea/modules/context"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/search"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
@@ -39,10 +38,6 @@ func Home(ctx *context.Context) {
 		if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm {
 			ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
 			ctx.HTML(200, user.TplActivate)
 		} else if !ctx.User.IsActive || ctx.User.ProhibitLogin {
 			log.Info("Failed authentication attempt for %s from %s", ctx.User.Name, ctx.RemoteAddr())
 			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 			ctx.HTML(200, "user/auth/prohibit_login")
 		} else {
 			user.Dashboard(ctx)
 		}
--- a/routers/metrics.go
+++ b/routers/metrics.go
@@ -17,7 +17,7 @@ func Metrics(ctx *context.Context) {
 		promhttp.Handler().ServeHTTP(ctx.Resp, ctx.Req.Request)
 		return
 	}
-	header := ctx.Req.Header.Get("Authorization")
+	header := ctx.Header().Get("Authorization")
 	if header == "" {
 		ctx.Error(401)
 		return
--- a/routers/org/teams.go
+++ b/routers/org/teams.go
@@ -288,6 +288,8 @@ func EditTeamPost(ctx *context.Context, form auth.CreateTeamForm) {
 			})
 		}
 		models.UpdateTeamUnits(t, units)
 	} else {
 		models.UpdateTeamUnits(t, nil)
 	}
 	if ctx.HasError() {
--- a/routers/private/internal.go
+++ b/routers/private/internal.go
@@ -82,7 +82,6 @@ func RegisterRoutes(m *macaron.Macaron) {
 		m.Post("/repositories/:repoid/keys/:keyid/update", UpdateDeployKey)
 		m.Get("/repositories/:repoid/user/:userid/checkunituser", CheckUnitUser)
 		m.Get("/repositories/:repoid/has-keys/:keyid", HasDeployKey)
 		m.Get("/repositories/:repoid/keys/:keyid", GetDeployKey)
 		m.Get("/repositories/:repoid/wiki/init", InitWiki)
 		m.Post("/push/update", PushUpdate)
 		m.Get("/protectedbranch/:pbid/:userid", CanUserPush)
--- a/routers/private/key.go
+++ b/routers/private/key.go
@@ -72,24 +72,6 @@ func GetUserByKeyID(ctx *macaron.Context) {
 	ctx.JSON(200, user)
 }
 //GetDeployKey chainload to models.GetDeployKey
 func GetDeployKey(ctx *macaron.Context) {
 	repoID := ctx.ParamsInt64(":repoid")
 	keyID := ctx.ParamsInt64(":keyid")
 	dKey, err := models.GetDeployKeyByRepo(keyID, repoID)
 	if err != nil {
 		if models.IsErrDeployKeyNotExist(err) {
 			ctx.JSON(404, []byte("not found"))
 			return
 		}
 		ctx.JSON(500, map[string]interface{}{
 			"err": err.Error(),
 		})
 		return
 	}
 	ctx.JSON(200, dKey)
 }
 //HasDeployKey chainload to models.HasDeployKey
 func HasDeployKey(ctx *macaron.Context) {
 	repoID := ctx.ParamsInt64(":repoid")
--- a/routers/repo/commit.go
+++ b/routers/repo/commit.go
@@ -201,7 +201,7 @@ func Diff(ctx *context.Context) {
 		commitID = commit.ID.String()
 	}
-	statuses, err := models.GetLatestCommitStatus(ctx.Repo.Repository, commitID, 0)
+	statuses, err := models.GetLatestCommitStatus(ctx.Repo.Repository, ctx.Repo.Commit.ID.String(), 0)
 	if err != nil {
 		log.Error(3, "GetLatestCommitStatus: %v", err)
 	}
--- a/routers/repo/editor.go
+++ b/routers/repo/editor.go
@@ -163,11 +163,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
 		branchName = form.NewBranchName
 	}
-	form.TreePath = cleanUploadFileName(form.TreePath)
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	if len(form.TreePath) == 0 {
 		ctx.Error(500, "Upload file name is invalid")
 		return
 	}
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 	ctx.Data["TreePath"] = form.TreePath
@@ -377,13 +373,6 @@ func DeleteFile(ctx *context.Context) {
 func DeleteFilePost(ctx *context.Context, form auth.DeleteRepoFileForm) {
 	ctx.Data["PageIsDelete"] = true
 	ctx.Data["BranchLink"] = ctx.Repo.RepoLink + "/src/" + ctx.Repo.BranchNameSubURL()
 	ctx.Repo.TreePath = cleanUploadFileName(ctx.Repo.TreePath)
 	if len(ctx.Repo.TreePath) == 0 {
 		ctx.Error(500, "Delete file name is invalid")
 		return
 	}
 	ctx.Data["TreePath"] = ctx.Repo.TreePath
 	canCommit := renderCommitRights(ctx)
@@ -488,12 +477,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
 		branchName = form.NewBranchName
 	}
-	form.TreePath = cleanUploadFileName(form.TreePath)
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	if len(form.TreePath) == 0 {
 		ctx.Error(500, "Upload file name is invalid")
 		return
 	}
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 	if len(treeNames) == 0 {
 		// We must at least have one element for user to input.
--- a/routers/repo/http.go
+++ b/routers/repo/http.go
@@ -113,24 +113,24 @@ func HTTP(ctx *context.Context) {
 				return
 			}
-			// Check if username or password is a token
+			authUser, err = models.UserSignIn(authUsername, authPasswd)
-			isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
+			if err != nil {
-			// Assume username is token
+				if !models.IsErrUserNotExist(err) {
-			authToken := authUsername
+					ctx.ServerError("UserSignIn error: %v", err)
-			if !isUsernameToken {
+					return
-				// Assume password is token
+				}
 				authToken = authPasswd
 			}
-			// Assume password is a token.
+
-			token, err := models.GetAccessTokenBySHA(authToken)
+			if authUser == nil {
-			if err == nil {
+				isUsernameToken := len(authPasswd) == 0 || authPasswd == "x-oauth-basic"
-				if isUsernameToken {
+
-					authUser, err = models.GetUserByID(token.UID)
+				// Assume username is token
-					if err != nil {
+				authToken := authUsername
-						ctx.ServerError("GetUserByID", err)
+
-						return
+				if !isUsernameToken {
-					}
+					// Assume password is token
-				} else {
+					authToken = authPasswd
 					authUser, err = models.GetUserByName(authUsername)
 					if err != nil {
 						if models.IsErrUserNotExist(err) {
@@ -140,37 +140,37 @@ func HTTP(ctx *context.Context) {
 						}
 						return
 					}
-					if authUser.ID != token.UID {
+				}
 				// Assume password is a token.
 				token, err := models.GetAccessTokenBySHA(authToken)
 				if err != nil {
 					if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
 						ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
 					} else {
 						ctx.ServerError("GetAccessTokenBySha", err)
 					}
 					return
 				}
 				if isUsernameToken {
 					authUser, err = models.GetUserByID(token.UID)
 					if err != nil {
 						ctx.ServerError("GetUserByID", err)
 						return
 					}
 				} else if authUser.ID != token.UID {
 					ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
 					return
 				}
 				token.UpdatedUnix = util.TimeStampNow()
 				if err = models.UpdateAccessToken(token); err != nil {
 					ctx.ServerError("UpdateAccessToken", err)
 				}
 			} else {
 				if !models.IsErrAccessTokenNotExist(err) && !models.IsErrAccessTokenEmpty(err) {
 					log.Error(4, "GetAccessTokenBySha: %v", err)
 				}
 			}
 			if authUser == nil {
 				// Check username and password
 				authUser, err = models.UserSignIn(authUsername, authPasswd)
 				if err != nil {
 					if !models.IsErrUserNotExist(err) {
 						ctx.ServerError("UserSignIn error: %v", err)
 						return
 					}
 				}
 				if authUser == nil {
 					ctx.HandleText(http.StatusUnauthorized, "invalid credentials")
 					return
 				}
 				_, err = models.GetTwoFactorByUID(authUser.ID)
 				if err == nil {
 					// TODO: This response should be changed to "invalid credentials" for security reasons once the expectation behind it (creating an app token to authenticate) is properly documented
 					ctx.HandleText(http.StatusUnauthorized, "Users with two-factor authentication enabled cannot perform HTTP/HTTPS operations via plain username and password. Please create and use a personal access token on the user settings page")
--- a/routers/repo/issue.go
+++ b/routers/repo/issue.go
@@ -355,7 +355,7 @@ func setTemplateIfExists(ctx *context.Context, ctxDataKey string, possibleFiles
 	}
 }
-// NewIssue render creating issue page
+// NewIssue render createing issue page
 func NewIssue(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.issues.new")
 	ctx.Data["PageIsIssueList"] = true
@@ -494,11 +494,6 @@ func NewIssuePost(ctx *context.Context, form auth.CreateIssueForm) {
 		return
 	}
 	if util.IsEmptyString(form.Title) {
 		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplIssueNew, form)
 		return
 	}
 	issue := &models.Issue{
 		RepoID:      repo.ID,
 		Title:       form.Title,
--- a/routers/repo/pull.go
+++ b/routers/repo/pull.go
@@ -22,7 +22,6 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/notification"
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/util"
 	"github.com/Unknwon/com"
 )
@@ -684,8 +683,8 @@ func ParseCompareInfo(ctx *context.Context) (*models.User, *models.Repository, *
 		ctx.ServerError("GetUserRepoPermission", err)
 		return nil, nil, nil, nil, "", ""
 	}
-	if !perm.CanReadIssuesOrPulls(true) {
+	if !perm.CanWrite(models.UnitTypeCode) {
-		log.Trace("ParseCompareInfo[%d]: cannot create/read pull requests", baseRepo.ID)
+		log.Trace("ParseCompareInfo[%d]: does not have write access or site admin", baseRepo.ID)
 		ctx.NotFound("ParseCompareInfo", nil)
 		return nil, nil, nil, nil, "", ""
 	}
@@ -861,16 +860,6 @@ func CompareAndPullRequestPost(ctx *context.Context, form auth.CreateIssueForm)
 		return
 	}
 	if util.IsEmptyString(form.Title) {
 		PrepareCompareDiff(ctx, headUser, headRepo, headGitRepo, prInfo, baseBranch, headBranch)
 		if ctx.Written() {
 			return
 		}
 		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplComparePull, form)
 		return
 	}
 	patch, err := headGitRepo.GetPatch(prInfo.MergeBase, headBranch)
 	if err != nil {
 		ctx.ServerError("GetPatch", err)
--- a/routers/repo/repo.go
+++ b/routers/repo/repo.go
@@ -256,11 +256,6 @@ func MigratePost(ctx *context.Context, form auth.MigrateRepoForm) {
 		return
 	}
 	if models.IsErrRepoAlreadyExist(err) {
 		ctx.RenderWithErr(ctx.Tr("form.repo_name_been_taken"), tplMigrate, &form)
 		return
 	}
 	// remoteAddr may contain credentials, so we sanitize it
 	err = util.URLSanitizedError(err, remoteAddr)
--- a/routers/repo/setting.go
+++ b/routers/repo/setting.go
@@ -6,7 +6,6 @@
 package repo
 import (
 	"errors"
 	"strings"
 	"time"
@@ -37,7 +36,6 @@ const (
 func Settings(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.settings")
 	ctx.Data["PageIsSettingsOptions"] = true
 	ctx.Data["ForcePrivate"] = setting.Repository.ForcePrivate
 	ctx.HTML(200, tplSettingsOptions)
 }
@@ -96,12 +94,6 @@ func SettingsPost(ctx *context.Context, form auth.RepoSettingForm) {
 		}
 		visibilityChanged := repo.IsPrivate != form.Private
 		// when ForcePrivate enabled, you could change public repo to private, but could not change private to public
 		if visibilityChanged && setting.Repository.ForcePrivate && !form.Private {
 			ctx.ServerError("Force Private enabled", errors.New("cannot change private repository to public"))
 			return
 		}
 		repo.IsPrivate = form.Private
 		if err := models.UpdateRepository(repo, visibilityChanged); err != nil {
 			ctx.ServerError("UpdateRepository", err)
@@ -589,9 +581,6 @@ func DeployKeysPost(ctx *context.Context, form auth.AddKeyForm) {
 		case models.IsErrDeployKeyAlreadyExist(err):
 			ctx.Data["Err_Content"] = true
 			ctx.RenderWithErr(ctx.Tr("repo.settings.key_been_used"), tplDeployKeys, &form)
 		case models.IsErrKeyAlreadyExist(err):
 			ctx.Data["Err_Content"] = true
 			ctx.RenderWithErr(ctx.Tr("settings.ssh_key_been_used"), tplDeployKeys, &form)
 		case models.IsErrKeyNameAlreadyUsed(err):
 			ctx.Data["Err_Title"] = true
 			ctx.RenderWithErr(ctx.Tr("repo.settings.key_name_used"), tplDeployKeys, &form)
--- a/routers/repo/wiki.go
+++ b/routers/repo/wiki.go
@@ -341,11 +341,6 @@ func NewWikiPost(ctx *context.Context, form auth.NewWikiForm) {
 		return
 	}
 	if util.IsEmptyString(form.Title) {
 		ctx.RenderWithErr(ctx.Tr("repo.issues.new.title_empty"), tplWikiNew, form)
 		return
 	}
 	wikiName := models.NormalizeWikiName(form.Title)
 	if err := ctx.Repo.Repository.AddWikiPage(ctx.User, wikiName, form.Content, form.Message); err != nil {
 		if models.IsErrWikiReservedName(err) {
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@@ -106,7 +106,7 @@ func NewMacaron() *macaron.Macaron {
 		Langs:       setting.Langs,
 		Names:       setting.Names,
 		DefaultLang: "en-US",
-		Redirect:    false,
+		Redirect:    true,
 	}))
 	m.Use(cache.Cacher(cache.Options{
 		Adapter:       setting.CacheService.Adapter,
@@ -643,7 +643,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 			}
 			ctx.Data["CommitsCount"] = ctx.Repo.CommitsCount
 		})
-	}, ignSignIn, context.RepoAssignment(), context.UnitTypes(), reqRepoReleaseReader)
+	}, context.RepoAssignment(), context.UnitTypes(), reqRepoReleaseReader)
 	m.Group("/:username/:reponame", func() {
 		m.Post("/topics", repo.TopicsPost)
--- a/routers/user/auth.go
+++ b/routers/user/auth.go
@@ -161,19 +161,6 @@ func SignInPost(ctx *context.Context, form auth.SignInForm) {
 		} else if models.IsErrEmailAlreadyUsed(err) {
 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignIn, &form)
 			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
 		} else if models.IsErrUserProhibitLogin(err) {
 			log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
 			ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 			ctx.HTML(200, "user/auth/prohibit_login")
 		} else if models.IsErrUserInactive(err) {
 			if setting.Service.RegisterEmailConfirm {
 				ctx.Data["Title"] = ctx.Tr("auth.active_your_account")
 				ctx.HTML(200, TplActivate)
 			} else {
 				log.Info("Failed authentication attempt for %s from %s", form.UserName, ctx.RemoteAddr())
 				ctx.Data["Title"] = ctx.Tr("auth.prohibit_login")
 				ctx.HTML(200, "user/auth/prohibit_login")
 			}
 		} else {
 			ctx.ServerError("UserSignIn", err)
 		}
--- a/routers/user/auth_openid.go
+++ b/routers/user/auth_openid.go
@@ -115,8 +115,7 @@ func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {
 	redirectTo := setting.AppURL + "user/login/openid"
 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)
 	if err != nil {
-		log.Error(1, "Error in OpenID redirect URL: %s, %v", redirectTo, err.Error())
+		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)
 		ctx.RenderWithErr(fmt.Sprintf("Unable to find OpenID provider in %s", redirectTo), tplSignInOpenID, &form)
 		return
 	}
--- a/routers/user/setting/security.go
+++ b/routers/user/setting/security.go
@@ -34,15 +34,10 @@ func Security(ctx *context.Context) {
 // DeleteAccountLink delete a single account link
 func DeleteAccountLink(ctx *context.Context) {
-	id := ctx.QueryInt64("id")
+	if _, err := models.RemoveAccountLink(ctx.User, ctx.QueryInt64("loginSourceID")); err != nil {
-	if id <= 0 {
+		ctx.Flash.Error("RemoveAccountLink: " + err.Error())
 		ctx.Flash.Error("Account link id is not given")
 	} else {
-		if _, err := models.RemoveAccountLink(ctx.User, id); err != nil {
+		ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
 			ctx.Flash.Error("RemoveAccountLink: " + err.Error())
 		} else {
 			ctx.Flash.Success(ctx.Tr("settings.remove_account_link_success"))
 		}
 	}
 	ctx.JSON(200, map[string]interface{}{
--- a/templates/admin/dashboard.tmpl
+++ b/templates/admin/dashboard.tmpl
@@ -100,7 +100,7 @@
 				<dt>{{.i18n.Tr "admin.dashboard.mspan_structures_usage"}}</dt>
 				<dd>{{.SysStatus.MSpanInuse}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mspan_structures_obtained"}}</dt>
-				<dd>{{.SysStatus.MSpanSys}}</dd>
+				<dd>{{.SysStatus.HeapSys}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mcache_structures_usage"}}</dt>
 				<dd>{{.SysStatus.MCacheInuse}}</dd>
 				<dt>{{.i18n.Tr "admin.dashboard.mcache_structures_obtained"}}</dt>
--- a/templates/base/footer.tmpl
+++ b/templates/base/footer.tmpl
@@ -112,7 +112,6 @@
 	<script src="{{AppSubUrl}}/vendor/plugins/semantic/semantic.min.js"></script>
 	<script src="{{AppSubUrl}}/js/index.js?v={{MD5 AppVer}}"></script>
 {{if .EnableHeatmap}}
 	<script src="{{AppSubUrl}}/vendor/plugins/es6-promise/es6-promise.auto.min.js" charset="utf-8"></script>
 	<script src="{{AppSubUrl}}/vendor/plugins/moment/moment.min.js" charset="utf-8"></script>
 	<script src="{{AppSubUrl}}/vendor/plugins/vue-calendar-heatmap/vue-calendar-heatmap.browser.js" charset="utf-8"></script>
 	<script type="text/javascript">
--- a/templates/repo/home.tmpl
+++ b/templates/repo/home.tmpl
@@ -54,8 +54,8 @@
 		<div class="ui stackable secondary menu mobile--margin-between-items mobile--no-negative-margins">
 			{{if and .PullRequestCtx.Allowed .IsViewBranch}}
 				<div class="fitted item">
-					<a href="{{.BaseRepo.Link}}/compare/{{.BaseRepo.DefaultBranch | EscapePound}}...{{if ne .Repository.Owner.Name .BaseRepo.Owner.Name}}{{.Repository.Owner.Name}}:{{end}}{{.BranchName | EscapePound}}">
+					<a href="{{.BaseRepo.Link}}/compare/{{.BaseRepo.DefaultBranch | EscapePound}}...{{.Repository.Owner.Name}}:{{.BranchName | EscapePound}}">
-					<button class="ui green tiny compact button"><i class="octicon octicon-git-compare"></i></button>
+						<button class="ui green tiny compact button"><i class="octicon octicon-git-compare"></i></button>
 					</a>
 				</div>
 			{{end}}
--- a/templates/repo/settings/options.tmpl
+++ b/templates/repo/settings/options.tmpl
@@ -19,7 +19,7 @@
 					<div class="inline field">
 						<label>{{.i18n.Tr "repo.visibility"}}</label>
 						<div class="ui checkbox">
-							<input name="private" type="checkbox" {{if .Repository.IsPrivate}}checked{{end}}{{if and $.ForcePrivate .Repository.IsPrivate}} readonly{{end}}>
+							<input name="private" type="checkbox" {{if .Repository.IsPrivate}}checked{{end}}>
 							<label>{{.i18n.Tr "repo.visibility_helper" | Safe}} {{if .Repository.NumForks}}<span class="text red">{{.i18n.Tr "repo.visibility_fork_helper"}}</span>{{end}}</label>
 						</div>
 					</div>
--- a/templates/swagger/v1_json.tmpl
+++ b/templates/swagger/v1_json.tmpl
@@ -1663,46 +1663,6 @@
        }
      }
    },
    "/repos/{owner}/{repo}/git/trees/{sha}": {
      "get": {
        "produces": [
          "application/json"
        ],
        "tags": [
          "repository"
        ],
        "summary": "Gets the tree of a repository.",
        "operationId": "GetTree",
        "parameters": [
          {
            "type": "string",
            "description": "owner of the repo",
            "name": "owner",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "description": "name of the repo",
            "name": "repo",
            "in": "path",
            "required": true
          },
          {
            "type": "string",
            "description": "sha of the commit",
            "name": "sha",
            "in": "path",
            "required": true
          }
        ],
        "responses": {
          "200": {
            "$ref": "#/responses/GitTreeResponse"
          }
        }
      }
    },
    "/repos/{owner}/{repo}/hooks": {
      "get": {
        "produces": [
@@ -7080,38 +7040,6 @@
      },
      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
    },
    "GitEntry": {
      "description": "GitEntry represents a git tree",
      "type": "object",
      "properties": {
        "mode": {
          "type": "string",
          "x-go-name": "Mode"
        },
        "path": {
          "type": "string",
          "x-go-name": "Path"
        },
        "sha": {
          "type": "string",
          "x-go-name": "SHA"
        },
        "size": {
          "type": "integer",
          "format": "int64",
          "x-go-name": "Size"
        },
        "type": {
          "type": "string",
          "x-go-name": "Type"
        },
        "url": {
          "type": "string",
          "x-go-name": "URL"
        }
      },
      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
    },
    "GitObject": {
      "type": "object",
      "title": "GitObject represents a Git object.",
@@ -7131,32 +7059,6 @@
      },
      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
    },
    "GitTreeResponse": {
      "description": "GitTreeResponse returns a git tree",
      "type": "object",
      "properties": {
        "sha": {
          "type": "string",
          "x-go-name": "SHA"
        },
        "tree": {
          "type": "array",
          "items": {
            "$ref": "#/definitions/GitEntry"
          },
          "x-go-name": "Entries"
        },
        "truncated": {
          "type": "boolean",
          "x-go-name": "Truncated"
        },
        "url": {
          "type": "string",
          "x-go-name": "URL"
        }
      },
      "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
    },
    "Issue": {
      "description": "Issue represents an issue in a repository",
      "type": "object",
@@ -8298,12 +8200,6 @@
        }
      }
    },
    "GitTreeResponse": {
      "description": "GitTreeResponse",
      "schema": {
        "$ref": "#/definitions/GitTreeResponse"
      }
    },
    "Hook": {
      "description": "Hook",
      "schema": {
--- a/templates/user/dashboard/dashboard.tmpl
+++ b/templates/user/dashboard/dashboard.tmpl
@@ -44,14 +44,12 @@
 						<div v-show="tab === 'repos'" class="ui tab active list dashboard-repos">
 							<h4 class="ui top attached header">
 								{{.i18n.Tr "home.my_repos"}} <span class="ui grey label">${reposTotalCount}</span>
 								{{if or (not .ContextUser.IsOrganization) .IsOrganizationOwner}}
 								<div class="ui right">
-									<a class="poping up" :href="suburl + '/repo/create{{if .ContextUser.IsOrganization}}?org={{.ContextUser.ID}}{{end}}'" data-content="{{.i18n.Tr "new_repo"}}" data-variation="tiny inverted" data-position="left center">
+									<a class="poping up" :href="suburl + '/repo/create'" data-content="{{.i18n.Tr "new_repo"}}" data-variation="tiny inverted" data-position="left center">
 										<i class="plus icon"></i>
 										<span class="sr-only">{{.i18n.Tr "new_repo"}}</span>
 									</a>
 								</div>
 								{{end}}
 							</h4>
 							<div class="ui attached secondary segment repos-search">
 								<div class="ui fluid icon input" :class="{loading: isLoading}">
--- a/vendor/github.com/go-xorm/xorm/dialect_postgres.go
+++ b/vendor/github.com/go-xorm/xorm/dialect_postgres.go
@@ -822,7 +822,7 @@ func (db *postgres) SqlType(c *core.Column) string {
 	case core.NVarchar:
 		res = core.Varchar
 	case core.Uuid:
-		return core.Uuid
+		res = core.Uuid
 	case core.Blob, core.TinyBlob, core.MediumBlob, core.LongBlob:
 		return core.Bytea
 	case core.Double:
@@ -834,10 +834,6 @@ func (db *postgres) SqlType(c *core.Column) string {
 		res = t
 	}
 	if strings.EqualFold(res, "bool") {
 		// for bool, we don't need length information
 		return res
 	}
 	hasLen1 := (c.Length > 0)
 	hasLen2 := (c.Length2 > 0)
--- a/vendor/github.com/go-xorm/xorm/engine.go
+++ b/vendor/github.com/go-xorm/xorm/engine.go
@@ -481,8 +481,7 @@ func (engine *Engine) dumpTables(tables []*core.Table, w io.Writer, tp ...core.D
 		}
 		cols := table.ColumnsSeq()
-		colNames := engine.dialect.Quote(strings.Join(cols, engine.dialect.Quote(", ")))
+		colNames := dialect.Quote(strings.Join(cols, dialect.Quote(", ")))
 		destColNames := dialect.Quote(strings.Join(cols, dialect.Quote(", ")))
 		rows, err := engine.DB().Query("SELECT " + colNames + " FROM " + engine.Quote(table.Name))
 		if err != nil {
@@ -497,7 +496,7 @@ func (engine *Engine) dumpTables(tables []*core.Table, w io.Writer, tp ...core.D
 				return err
 			}
-			_, err = io.WriteString(w, "INSERT INTO "+dialect.Quote(table.Name)+" ("+destColNames+") VALUES (")
+			_, err = io.WriteString(w, "INSERT INTO "+dialect.Quote(table.Name)+" ("+colNames+") VALUES (")
 			if err != nil {
 				return err
 			}
--- a/vendor/gopkg.in/ldap.v2/LICENSE
+++ b/vendor/gopkg.in/ldap.v2/LICENSE
@@ -0,0 +1,27 @@
 Copyright (c) 2012 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/vendor/gopkg.in/ldap.v2/add.go
+++ b/vendor/gopkg.in/ldap.v2/add.go
@@ -41,8 +41,6 @@ type AddRequest struct {
 	DN string
 	// Attributes list the attributes of the new entry
 	Attributes []Attribute
 	// Controls hold optional controls to send with the request
 	Controls []Control
 }
 func (a AddRequest) encode() *ber.Packet {
@@ -62,10 +60,9 @@ func (a *AddRequest) Attribute(attrType string, attrVals []string) {
 }
 // NewAddRequest returns an AddRequest for the given DN, with no attributes
-func NewAddRequest(dn string, controls []Control) *AddRequest {
+func NewAddRequest(dn string) *AddRequest {
 	return &AddRequest{
-		DN:       dn,
+		DN: dn,
 		Controls: controls,
 	}
 }
@@ -75,9 +72,6 @@ func (l *Conn) Add(addRequest *AddRequest) error {
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 	packet.AppendChild(addRequest.encode())
 	if len(addRequest.Controls) > 0 {
 		packet.AppendChild(encodeControls(addRequest.Controls))
 	}
 	l.Debug.PrintPacket(packet)
@@ -106,9 +100,9 @@ func (l *Conn) Add(addRequest *AddRequest) error {
 	}
 	if packet.Children[1].Tag == ApplicationAddResponse {
-		err := GetLDAPError(packet)
+		resultCode, resultDescription := getLDAPResultCode(packet)
-		if err != nil {
+		if resultCode != 0 {
-			return err
+			return NewError(resultCode, errors.New(resultDescription))
 		}
 	} else {
 		log.Printf("Unexpected Response: %d", packet.Children[1].Tag)
--- a/vendor/gopkg.in/ldap.v2/bind.go
+++ b/vendor/gopkg.in/ldap.v2/bind.go
@@ -1,8 +1,11 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package ldap
 import (
 	"errors"
 	"fmt"
 	"gopkg.in/asn1-ber.v1"
 )
@@ -15,9 +18,6 @@ type SimpleBindRequest struct {
 	Password string
 	// Controls are optional controls to send with the bind request
 	Controls []Control
 	// AllowEmptyPassword sets whether the client allows binding with an empty password
 	// (normally used for unauthenticated bind).
 	AllowEmptyPassword bool
 }
 // SimpleBindResult contains the response from the server
@@ -28,10 +28,9 @@ type SimpleBindResult struct {
 // NewSimpleBindRequest returns a bind request
 func NewSimpleBindRequest(username string, password string, controls []Control) *SimpleBindRequest {
 	return &SimpleBindRequest{
-		Username:           username,
+		Username: username,
-		Password:           password,
+		Password: password,
-		Controls:           controls,
+		Controls: controls,
 		AllowEmptyPassword: false,
 	}
 }
@@ -41,22 +40,17 @@ func (bindRequest *SimpleBindRequest) encode() *ber.Packet {
 	request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, bindRequest.Username, "User Name"))
 	request.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, bindRequest.Password, "Password"))
 	request.AppendChild(encodeControls(bindRequest.Controls))
 	return request
 }
 // SimpleBind performs the simple bind operation defined in the given request
 func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResult, error) {
 	if simpleBindRequest.Password == "" && !simpleBindRequest.AllowEmptyPassword {
 		return nil, NewError(ErrorEmptyPassword, errors.New("ldap: empty password not allowed by the client"))
 	}
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 	encodedBindRequest := simpleBindRequest.encode()
 	packet.AppendChild(encodedBindRequest)
 	if len(simpleBindRequest.Controls) > 0 {
 		packet.AppendChild(encodeControls(simpleBindRequest.Controls))
 	}
 	if l.Debug {
 		ber.PrintPacket(packet)
@@ -79,7 +73,7 @@ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResu
 	}
 	if l.Debug {
-		if err = addLDAPDescriptions(packet); err != nil {
+		if err := addLDAPDescriptions(packet); err != nil {
 			return nil, err
 		}
 		ber.PrintPacket(packet)
@@ -91,45 +85,59 @@ func (l *Conn) SimpleBind(simpleBindRequest *SimpleBindRequest) (*SimpleBindResu
 	if len(packet.Children) == 3 {
 		for _, child := range packet.Children[2].Children {
-			decodedChild, decodeErr := DecodeControl(child)
+			result.Controls = append(result.Controls, DecodeControl(child))
 			if decodeErr != nil {
 				return nil, fmt.Errorf("failed to decode child control: %s", decodeErr)
 			}
 			result.Controls = append(result.Controls, decodedChild)
 		}
 	}
-	err = GetLDAPError(packet)
+	resultCode, resultDescription := getLDAPResultCode(packet)
-	return result, err
+	if resultCode != 0 {
 		return result, NewError(resultCode, errors.New(resultDescription))
 	}
 	return result, nil
 }
-// Bind performs a bind with the given username and password.
+// Bind performs a bind with the given username and password
 //
 // It does not allow unauthenticated bind (i.e. empty password). Use the UnauthenticatedBind method
 // for that.
 func (l *Conn) Bind(username, password string) error {
-	req := &SimpleBindRequest{
+	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
-		Username:           username,
+	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
-		Password:           password,
+	bindRequest := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationBindRequest, nil, "Bind Request")
-		AllowEmptyPassword: false,
+	bindRequest.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, 3, "Version"))
-	}
+	bindRequest.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, username, "User Name"))
-	_, err := l.SimpleBind(req)
+	bindRequest.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, password, "Password"))
-	return err
+	packet.AppendChild(bindRequest)
 }
-// UnauthenticatedBind performs an unauthenticated bind.
+	if l.Debug {
-//
+		ber.PrintPacket(packet)
 // A username may be provided for trace (e.g. logging) purpose only, but it is normally not
 // authenticated or otherwise validated by the LDAP server.
 //
 // See https://tools.ietf.org/html/rfc4513#section-5.1.2 .
 // See https://tools.ietf.org/html/rfc4513#section-6.3.1 .
 func (l *Conn) UnauthenticatedBind(username string) error {
 	req := &SimpleBindRequest{
 		Username:           username,
 		Password:           "",
 		AllowEmptyPassword: true,
 	}
-	_, err := l.SimpleBind(req)
+
-	return err
+	msgCtx, err := l.sendMessage(packet)
 	if err != nil {
 		return err
 	}
 	defer l.finishMessage(msgCtx)
 	packetResponse, ok := <-msgCtx.responses
 	if !ok {
 		return NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
 	}
 	packet, err = packetResponse.ReadPacket()
 	l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
 	if err != nil {
 		return err
 	}
 	if l.Debug {
 		if err := addLDAPDescriptions(packet); err != nil {
 			return err
 		}
 		ber.PrintPacket(packet)
 	}
 	resultCode, resultDescription := getLDAPResultCode(packet)
 	if resultCode != 0 {
 		return NewError(resultCode, errors.New(resultDescription))
 	}
 	return nil
 }
--- a/vendor/gopkg.in/ldap.v2/client.go
+++ b/vendor/gopkg.in/ldap.v2/client.go
@@ -18,7 +18,6 @@ type Client interface {
 	Add(addRequest *AddRequest) error
 	Del(delRequest *DelRequest) error
 	Modify(modifyRequest *ModifyRequest) error
 	ModifyDN(modifyDNRequest *ModifyDNRequest) error
 	Compare(dn, attribute, value string) (bool, error)
 	PasswordModify(passwordModifyRequest *PasswordModifyRequest) (*PasswordModifyResult, error)
--- a/vendor/gopkg.in/ldap.v2/compare.go
+++ b/vendor/gopkg.in/ldap.v2/compare.go
@@ -1,3 +1,7 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //
 // File contains Compare functionality
 //
 // https://tools.ietf.org/html/rfc4511
@@ -37,7 +41,7 @@ func (l *Conn) Compare(dn, attribute, value string) (bool, error) {
 	ava := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "AttributeValueAssertion")
 	ava.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, attribute, "AttributeDesc"))
-	ava.AppendChild(ber.Encode(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, value, "AssertionValue"))
+	ava.AppendChild(ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagOctetString, value, "AssertionValue"))
 	request.AppendChild(ava)
 	packet.AppendChild(request)
@@ -68,16 +72,14 @@ func (l *Conn) Compare(dn, attribute, value string) (bool, error) {
 	}
 	if packet.Children[1].Tag == ApplicationCompareResponse {
-		err := GetLDAPError(packet)
+		resultCode, resultDescription := getLDAPResultCode(packet)
-
+		if resultCode == LDAPResultCompareTrue {
 		switch {
 		case IsErrorWithCode(err, LDAPResultCompareTrue):
 			return true, nil
-		case IsErrorWithCode(err, LDAPResultCompareFalse):
+		} else if resultCode == LDAPResultCompareFalse {
 			return false, nil
-		default:
+		} else {
-			return false, err
+			return false, NewError(resultCode, errors.New(resultDescription))
 		}
 	}
-	return false, fmt.Errorf("unexpected Response: %d", packet.Children[1].Tag)
+	return false, fmt.Errorf("Unexpected Response: %d", packet.Children[1].Tag)
 }
--- a/vendor/gopkg.in/ldap.v2/conn.go
+++ b/vendor/gopkg.in/ldap.v2/conn.go
@@ -1,3 +1,7 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package ldap
 import (
@@ -6,9 +10,7 @@ import (
 	"fmt"
 	"log"
 	"net"
 	"net/url"
 	"sync"
 	"sync/atomic"
 	"time"
 	"gopkg.in/asn1-ber.v1"
@@ -27,13 +29,6 @@ const (
 	MessageTimeout = 4
 )
 const (
 	// DefaultLdapPort default ldap port for pure TCP connection
 	DefaultLdapPort = "389"
 	// DefaultLdapsPort default ldap port for SSL connection
 	DefaultLdapsPort = "636"
 )
 // PacketResponse contains the packet or error encountered reading a response
 type PacketResponse struct {
 	// Packet is the packet read from the server
@@ -85,22 +80,22 @@ const (
 // Conn represents an LDAP Connection
 type Conn struct {
 	// requestTimeout is loaded atomically
 	// so we need to ensure 64-bit alignment on 32-bit platforms.
 	requestTimeout      int64
 	conn                net.Conn
 	isTLS               bool
-	closing             uint32
+	isClosing           bool
-	closeErr            atomic.Value
+	closeErr            error
 	isStartingTLS       bool
 	Debug               debugging
-	chanConfirm         chan struct{}
+	chanConfirm         chan bool
 	messageContexts     map[int64]*messageContext
 	chanMessage         chan *messagePacket
 	chanMessageID       chan int64
 	wgSender            sync.WaitGroup
 	wgClose             sync.WaitGroup
 	once                sync.Once
 	outstandingRequests uint
 	messageMutex        sync.Mutex
 	requestTimeout      time.Duration
 }
 var _ Client = &Conn{}
@@ -127,56 +122,27 @@ func Dial(network, addr string) (*Conn, error) {
 // DialTLS connects to the given address on the given network using tls.Dial
 // and then returns a new Conn for the connection.
 func DialTLS(network, addr string, config *tls.Config) (*Conn, error) {
-	c, err := tls.DialWithDialer(&net.Dialer{Timeout: DefaultTimeout}, network, addr, config)
+	dc, err := net.DialTimeout(network, addr, DefaultTimeout)
 	if err != nil {
 		return nil, NewError(ErrorNetwork, err)
 	}
 	c := tls.Client(dc, config)
 	err = c.Handshake()
 	if err != nil {
 		// Handshake error, close the established connection before we return an error
 		dc.Close()
 		return nil, NewError(ErrorNetwork, err)
 	}
 	conn := NewConn(c, true)
 	conn.Start()
 	return conn, nil
 }
 // DialURL connects to the given ldap URL vie TCP using tls.Dial or net.Dial if ldaps://
 // or ldap:// specified as protocol. On success a new Conn for the connection
 // is returned.
 func DialURL(addr string) (*Conn, error) {
 	lurl, err := url.Parse(addr)
 	if err != nil {
 		return nil, NewError(ErrorNetwork, err)
 	}
 	host, port, err := net.SplitHostPort(lurl.Host)
 	if err != nil {
 		// we asume that error is due to missing port
 		host = lurl.Host
 		port = ""
 	}
 	switch lurl.Scheme {
 	case "ldap":
 		if port == "" {
 			port = DefaultLdapPort
 		}
 		return Dial("tcp", net.JoinHostPort(host, port))
 	case "ldaps":
 		if port == "" {
 			port = DefaultLdapsPort
 		}
 		tlsConf := &tls.Config{
 			ServerName: host,
 		}
 		return DialTLS("tcp", net.JoinHostPort(host, port), tlsConf)
 	}
 	return nil, NewError(ErrorNetwork, fmt.Errorf("Unknown scheme '%s'", lurl.Scheme))
 }
 // NewConn returns a new Conn using conn for network I/O.
 func NewConn(conn net.Conn, isTLS bool) *Conn {
 	return &Conn{
 		conn:            conn,
-		chanConfirm:     make(chan struct{}),
+		chanConfirm:     make(chan bool),
 		chanMessageID:   make(chan int64),
 		chanMessage:     make(chan *messagePacket, 10),
 		messageContexts: map[int64]*messageContext{},
@@ -192,22 +158,12 @@ func (l *Conn) Start() {
 	l.wgClose.Add(1)
 }
 // IsClosing returns whether or not we're currently closing.
 func (l *Conn) IsClosing() bool {
 	return atomic.LoadUint32(&l.closing) == 1
 }
 // setClosing sets the closing value to true
 func (l *Conn) setClosing() bool {
 	return atomic.CompareAndSwapUint32(&l.closing, 0, 1)
 }
 // Close closes the connection.
 func (l *Conn) Close() {
-	l.messageMutex.Lock()
+	l.once.Do(func() {
-	defer l.messageMutex.Unlock()
+		l.isClosing = true
 		l.wgSender.Wait()
 	if l.setClosing() {
 		l.Debug.Printf("Sending quit message and waiting for confirmation")
 		l.chanMessage <- &messagePacket{Op: MessageQuit}
 		<-l.chanConfirm
@@ -215,25 +171,27 @@ func (l *Conn) Close() {
 		l.Debug.Printf("Closing network connection")
 		if err := l.conn.Close(); err != nil {
-			log.Println(err)
+			log.Print(err)
 		}
 		l.wgClose.Done()
-	}
+	})
 	l.wgClose.Wait()
 }
 // SetTimeout sets the time after a request is sent that a MessageTimeout triggers
 func (l *Conn) SetTimeout(timeout time.Duration) {
 	if timeout > 0 {
-		atomic.StoreInt64(&l.requestTimeout, int64(timeout))
+		l.requestTimeout = timeout
 	}
 }
 // Returns the next available messageID
 func (l *Conn) nextMessageID() int64 {
-	if messageID, ok := <-l.chanMessageID; ok {
+	if l.chanMessageID != nil {
-		return messageID
+		if messageID, ok := <-l.chanMessageID; ok {
 			return messageID
 		}
 	}
 	return 0
 }
@@ -277,41 +235,30 @@ func (l *Conn) StartTLS(config *tls.Config) error {
 		ber.PrintPacket(packet)
 	}
-	if err := GetLDAPError(packet); err == nil {
+	if resultCode, message := getLDAPResultCode(packet); resultCode == LDAPResultSuccess {
 		conn := tls.Client(l.conn, config)
-		if connErr := conn.Handshake(); connErr != nil {
+		if err := conn.Handshake(); err != nil {
 			l.Close()
-			return NewError(ErrorNetwork, fmt.Errorf("TLS handshake failed (%v)", connErr))
+			return NewError(ErrorNetwork, fmt.Errorf("TLS handshake failed (%v)", err))
 		}
 		l.isTLS = true
 		l.conn = conn
 	} else {
-		return err
+		return NewError(resultCode, fmt.Errorf("ldap: cannot StartTLS (%s)", message))
 	}
 	go l.reader()
 	return nil
 }
 // TLSConnectionState returns the client's TLS connection state.
 // The return values are their zero values if StartTLS did
 // not succeed.
 func (l *Conn) TLSConnectionState() (state tls.ConnectionState, ok bool) {
 	tc, ok := l.conn.(*tls.Conn)
 	if !ok {
 		return
 	}
 	return tc.ConnectionState(), true
 }
 func (l *Conn) sendMessage(packet *ber.Packet) (*messageContext, error) {
 	return l.sendMessageWithFlags(packet, 0)
 }
 func (l *Conn) sendMessageWithFlags(packet *ber.Packet, flags sendMessageFlags) (*messageContext, error) {
-	if l.IsClosing() {
+	if l.isClosing {
 		return nil, NewError(ErrorNetwork, errors.New("ldap: connection closed"))
 	}
 	l.messageMutex.Lock()
@@ -350,7 +297,7 @@ func (l *Conn) sendMessageWithFlags(packet *ber.Packet, flags sendMessageFlags)
 func (l *Conn) finishMessage(msgCtx *messageContext) {
 	close(msgCtx.done)
-	if l.IsClosing() {
+	if l.isClosing {
 		return
 	}
@@ -369,12 +316,12 @@ func (l *Conn) finishMessage(msgCtx *messageContext) {
 }
 func (l *Conn) sendProcessMessage(message *messagePacket) bool {
-	l.messageMutex.Lock()
+	if l.isClosing {
 	defer l.messageMutex.Unlock()
 	if l.IsClosing() {
 		return false
 	}
 	l.wgSender.Add(1)
 	l.chanMessage <- message
 	l.wgSender.Done()
 	return true
 }
@@ -386,14 +333,15 @@ func (l *Conn) processMessages() {
 		for messageID, msgCtx := range l.messageContexts {
 			// If we are closing due to an error, inform anyone who
 			// is waiting about the error.
-			if l.IsClosing() && l.closeErr.Load() != nil {
+			if l.isClosing && l.closeErr != nil {
-				msgCtx.sendResponse(&PacketResponse{Error: l.closeErr.Load().(error)})
+				msgCtx.sendResponse(&PacketResponse{Error: l.closeErr})
 			}
 			l.Debug.Printf("Closing channel for MessageID %d", messageID)
 			close(msgCtx.responses)
 			delete(l.messageContexts, messageID)
 		}
 		close(l.chanMessageID)
 		l.chanConfirm <- true
 		close(l.chanConfirm)
 	}()
@@ -402,7 +350,11 @@ func (l *Conn) processMessages() {
 		select {
 		case l.chanMessageID <- messageID:
 			messageID++
-		case message := <-l.chanMessage:
+		case message, ok := <-l.chanMessage:
 			if !ok {
 				l.Debug.Printf("Shutting down - message channel is closed")
 				return
 			}
 			switch message.Op {
 			case MessageQuit:
 				l.Debug.Printf("Shutting down - quit message received")
@@ -425,15 +377,14 @@ func (l *Conn) processMessages() {
 				l.messageContexts[message.MessageID] = message.Context
 				// Add timeout if defined
-				requestTimeout := time.Duration(atomic.LoadInt64(&l.requestTimeout))
+				if l.requestTimeout > 0 {
 				if requestTimeout > 0 {
 					go func() {
 						defer func() {
 							if err := recover(); err != nil {
 								log.Printf("ldap: recovered panic in RequestTimeout: %v", err)
 							}
 						}()
-						time.Sleep(requestTimeout)
+						time.Sleep(l.requestTimeout)
 						timeoutMessage := &messagePacket{
 							Op:        MessageTimeout,
 							MessageID: message.MessageID,
@@ -446,7 +397,7 @@ func (l *Conn) processMessages() {
 				if msgCtx, ok := l.messageContexts[message.MessageID]; ok {
 					msgCtx.sendResponse(&PacketResponse{message.Packet, nil})
 				} else {
-					log.Printf("Received unexpected message %d, %v", message.MessageID, l.IsClosing())
+					log.Printf("Received unexpected message %d, %v", message.MessageID, l.isClosing)
 					ber.PrintPacket(message.Packet)
 				}
 			case MessageTimeout:
@@ -488,8 +439,8 @@ func (l *Conn) reader() {
 		packet, err := ber.ReadPacket(l.conn)
 		if err != nil {
 			// A read error is expected here if we are closing the connection...
-			if !l.IsClosing() {
+			if !l.isClosing {
-				l.closeErr.Store(fmt.Errorf("unable to read LDAP response packet: %s", err))
+				l.closeErr = fmt.Errorf("unable to read LDAP response packet: %s", err)
 				l.Debug.Printf("reader error: %s", err.Error())
 			}
 			return
--- a/vendor/gopkg.in/ldap.v2/control.go
+++ b/vendor/gopkg.in/ldap.v2/control.go
@@ -1,3 +1,7 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package ldap
 import (
@@ -18,20 +22,13 @@ const (
 	ControlTypeVChuPasswordWarning = "2.16.840.1.113730.3.4.5"
 	// ControlTypeManageDsaIT - https://tools.ietf.org/html/rfc3296
 	ControlTypeManageDsaIT = "2.16.840.1.113730.3.4.2"
 	// ControlTypeMicrosoftNotification - https://msdn.microsoft.com/en-us/library/aa366983(v=vs.85).aspx
 	ControlTypeMicrosoftNotification = "1.2.840.113556.1.4.528"
 	// ControlTypeMicrosoftShowDeleted - https://msdn.microsoft.com/en-us/library/aa366989(v=vs.85).aspx
 	ControlTypeMicrosoftShowDeleted = "1.2.840.113556.1.4.417"
 )
 // ControlTypeMap maps controls to text descriptions
 var ControlTypeMap = map[string]string{
-	ControlTypePaging:                "Paging",
+	ControlTypePaging:               "Paging",
-	ControlTypeBeheraPasswordPolicy:  "Password Policy - Behera Draft",
+	ControlTypeBeheraPasswordPolicy: "Password Policy - Behera Draft",
-	ControlTypeManageDsaIT:           "Manage DSA IT",
+	ControlTypeManageDsaIT:          "Manage DSA IT",
 	ControlTypeMicrosoftNotification: "Change Notification - Microsoft",
 	ControlTypeMicrosoftShowDeleted:  "Show Deleted Objects - Microsoft",
 }
 // Control defines an interface controls provide to encode and describe themselves
@@ -245,64 +242,6 @@ func NewControlManageDsaIT(Criticality bool) *ControlManageDsaIT {
 	return &ControlManageDsaIT{Criticality: Criticality}
 }
 // ControlMicrosoftNotification implements the control described in https://msdn.microsoft.com/en-us/library/aa366983(v=vs.85).aspx
 type ControlMicrosoftNotification struct{}
 // GetControlType returns the OID
 func (c *ControlMicrosoftNotification) GetControlType() string {
 	return ControlTypeMicrosoftNotification
 }
 // Encode returns the ber packet representation
 func (c *ControlMicrosoftNotification) Encode() *ber.Packet {
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Control")
 	packet.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, ControlTypeMicrosoftNotification, "Control Type ("+ControlTypeMap[ControlTypeMicrosoftNotification]+")"))
 	return packet
 }
 // String returns a human-readable description
 func (c *ControlMicrosoftNotification) String() string {
 	return fmt.Sprintf(
 		"Control Type: %s (%q)",
 		ControlTypeMap[ControlTypeMicrosoftNotification],
 		ControlTypeMicrosoftNotification)
 }
 // NewControlMicrosoftNotification returns a ControlMicrosoftNotification control
 func NewControlMicrosoftNotification() *ControlMicrosoftNotification {
 	return &ControlMicrosoftNotification{}
 }
 // ControlMicrosoftShowDeleted implements the control described in https://msdn.microsoft.com/en-us/library/aa366989(v=vs.85).aspx
 type ControlMicrosoftShowDeleted struct{}
 // GetControlType returns the OID
 func (c *ControlMicrosoftShowDeleted) GetControlType() string {
 	return ControlTypeMicrosoftShowDeleted
 }
 // Encode returns the ber packet representation
 func (c *ControlMicrosoftShowDeleted) Encode() *ber.Packet {
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Control")
 	packet.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, ControlTypeMicrosoftShowDeleted, "Control Type ("+ControlTypeMap[ControlTypeMicrosoftShowDeleted]+")"))
 	return packet
 }
 // String returns a human-readable description
 func (c *ControlMicrosoftShowDeleted) String() string {
 	return fmt.Sprintf(
 		"Control Type: %s (%q)",
 		ControlTypeMap[ControlTypeMicrosoftShowDeleted],
 		ControlTypeMicrosoftShowDeleted)
 }
 // NewControlMicrosoftShowDeleted returns a ControlMicrosoftShowDeleted control
 func NewControlMicrosoftShowDeleted() *ControlMicrosoftShowDeleted {
 	return &ControlMicrosoftShowDeleted{}
 }
 // FindControl returns the first control of the given type in the list, or nil
 func FindControl(controls []Control, controlType string) Control {
 	for _, c := range controls {
@@ -314,7 +253,7 @@ func FindControl(controls []Control, controlType string) Control {
 }
 // DecodeControl returns a control read from the given packet, or nil if no recognized control can be made
-func DecodeControl(packet *ber.Packet) (Control, error) {
+func DecodeControl(packet *ber.Packet) Control {
 	var (
 		ControlType = ""
 		Criticality = false
@@ -324,7 +263,7 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 	switch len(packet.Children) {
 	case 0:
 		// at least one child is required for control type
-		return nil, fmt.Errorf("at least one child is required for control type")
+		return nil
 	case 1:
 		// just type, no criticality or value
@@ -357,20 +296,17 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 	default:
 		// more than 3 children is invalid
-		return nil, fmt.Errorf("more than 3 children is invalid for controls")
+		return nil
 	}
 	switch ControlType {
 	case ControlTypeManageDsaIT:
-		return NewControlManageDsaIT(Criticality), nil
+		return NewControlManageDsaIT(Criticality)
 	case ControlTypePaging:
 		value.Description += " (Paging)"
 		c := new(ControlPaging)
 		if value.Value != nil {
-			valueChildren, err := ber.DecodePacketErr(value.Data.Bytes())
+			valueChildren := ber.DecodePacket(value.Data.Bytes())
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode data bytes: %s", err)
 			}
 			value.Data.Truncate(0)
 			value.Value = nil
 			value.AppendChild(valueChildren)
@@ -382,15 +318,12 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 		c.PagingSize = uint32(value.Children[0].Value.(int64))
 		c.Cookie = value.Children[1].Data.Bytes()
 		value.Children[1].Value = c.Cookie
-		return c, nil
+		return c
 	case ControlTypeBeheraPasswordPolicy:
 		value.Description += " (Password Policy - Behera)"
 		c := NewControlBeheraPasswordPolicy()
 		if value.Value != nil {
-			valueChildren, err := ber.DecodePacketErr(value.Data.Bytes())
+			valueChildren := ber.DecodePacket(value.Data.Bytes())
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode data bytes: %s", err)
 			}
 			value.Data.Truncate(0)
 			value.Value = nil
 			value.AppendChild(valueChildren)
@@ -401,29 +334,23 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 		for _, child := range sequence.Children {
 			if child.Tag == 0 {
 				//Warning
-				warningPacket := child.Children[0]
+				child := child.Children[0]
-				packet, err := ber.DecodePacketErr(warningPacket.Data.Bytes())
+				packet := ber.DecodePacket(child.Data.Bytes())
 				if err != nil {
 					return nil, fmt.Errorf("failed to decode data bytes: %s", err)
 				}
 				val, ok := packet.Value.(int64)
 				if ok {
-					if warningPacket.Tag == 0 {
+					if child.Tag == 0 {
 						//timeBeforeExpiration
 						c.Expire = val
-						warningPacket.Value = c.Expire
+						child.Value = c.Expire
-					} else if warningPacket.Tag == 1 {
+					} else if child.Tag == 1 {
 						//graceAuthNsRemaining
 						c.Grace = val
-						warningPacket.Value = c.Grace
+						child.Value = c.Grace
 					}
 				}
 			} else if child.Tag == 1 {
 				// Error
-				packet, err := ber.DecodePacketErr(child.Data.Bytes())
+				packet := ber.DecodePacket(child.Data.Bytes())
 				if err != nil {
 					return nil, fmt.Errorf("failed to decode data bytes: %s", err)
 				}
 				val, ok := packet.Value.(int8)
 				if !ok {
 					// what to do?
@@ -434,26 +361,22 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 				c.ErrorString = BeheraPasswordPolicyErrorMap[c.Error]
 			}
 		}
-		return c, nil
+		return c
 	case ControlTypeVChuPasswordMustChange:
 		c := &ControlVChuPasswordMustChange{MustChange: true}
-		return c, nil
+		return c
 	case ControlTypeVChuPasswordWarning:
 		c := &ControlVChuPasswordWarning{Expire: -1}
 		expireStr := ber.DecodeString(value.Data.Bytes())
 		expire, err := strconv.ParseInt(expireStr, 10, 64)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse value as int: %s", err)
+			return nil
 		}
 		c.Expire = expire
 		value.Value = c.Expire
-		return c, nil
+		return c
 	case ControlTypeMicrosoftNotification:
 		return NewControlMicrosoftNotification(), nil
 	case ControlTypeMicrosoftShowDeleted:
 		return NewControlMicrosoftShowDeleted(), nil
 	default:
 		c := new(ControlString)
 		c.ControlType = ControlType
@@ -461,7 +384,7 @@ func DecodeControl(packet *ber.Packet) (Control, error) {
 		if value != nil {
 			c.ControlValue = value.Value.(string)
 		}
-		return c, nil
+		return c
 	}
 }
--- a/vendor/gopkg.in/ldap.v2/debug.go
+++ b/vendor/gopkg.in/ldap.v2/debug.go
@@ -6,7 +6,7 @@ import (
 	"gopkg.in/asn1-ber.v1"
 )
-// debugging type
+// debbuging type
 //     - has a Printf method to write the debug output
 type debugging bool
--- a/vendor/gopkg.in/ldap.v2/del.go
+++ b/vendor/gopkg.in/ldap.v2/del.go
@@ -40,7 +40,7 @@ func (l *Conn) Del(delRequest *DelRequest) error {
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 	packet.AppendChild(delRequest.encode())
-	if len(delRequest.Controls) > 0 {
+	if delRequest.Controls != nil {
 		packet.AppendChild(encodeControls(delRequest.Controls))
 	}
@@ -71,9 +71,9 @@ func (l *Conn) Del(delRequest *DelRequest) error {
 	}
 	if packet.Children[1].Tag == ApplicationDelResponse {
-		err := GetLDAPError(packet)
+		resultCode, resultDescription := getLDAPResultCode(packet)
-		if err != nil {
+		if resultCode != 0 {
-			return err
+			return NewError(resultCode, errors.New(resultDescription))
 		}
 	} else {
 		log.Printf("Unexpected Response: %d", packet.Children[1].Tag)
--- a/vendor/gopkg.in/ldap.v2/dn.go
+++ b/vendor/gopkg.in/ldap.v2/dn.go
@@ -1,4 +1,8 @@
-// File contains DN parsing functionality
+// Copyright 2015 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //
 // File contains DN parsing functionallity
 //
 // https://tools.ietf.org/html/rfc4514
 //
@@ -48,7 +52,7 @@ import (
 	"fmt"
 	"strings"
-	"gopkg.in/asn1-ber.v1"
+	ber "gopkg.in/asn1-ber.v1"
 )
 // AttributeTypeAndValue represents an attributeTypeAndValue from https://tools.ietf.org/html/rfc4514
@@ -79,20 +83,9 @@ func ParseDN(str string) (*DN, error) {
 	attribute := new(AttributeTypeAndValue)
 	escaping := false
 	unescapedTrailingSpaces := 0
 	stringFromBuffer := func() string {
 		s := buffer.String()
 		s = s[0 : len(s)-unescapedTrailingSpaces]
 		buffer.Reset()
 		unescapedTrailingSpaces = 0
 		return s
 	}
 	for i := 0; i < len(str); i++ {
 		char := str[i]
-		switch {
+		if escaping {
 		case escaping:
 			unescapedTrailingSpaces = 0
 			escaping = false
 			switch char {
 			case ' ', '"', '#', '+', ',', ';', '<', '=', '>', '\\':
@@ -101,23 +94,23 @@ func ParseDN(str string) (*DN, error) {
 			}
 			// Not a special character, assume hex encoded octet
 			if len(str) == i+1 {
-				return nil, errors.New("got corrupted escaped character")
+				return nil, errors.New("Got corrupted escaped character")
 			}
 			dst := []byte{0}
 			n, err := enchex.Decode([]byte(dst), []byte(str[i:i+2]))
 			if err != nil {
-				return nil, fmt.Errorf("failed to decode escaped character: %s", err)
+				return nil, fmt.Errorf("Failed to decode escaped character: %s", err)
 			} else if n != 1 {
-				return nil, fmt.Errorf("expected 1 byte when un-escaping, got %d", n)
+				return nil, fmt.Errorf("Expected 1 byte when un-escaping, got %d", n)
 			}
 			buffer.WriteByte(dst[0])
 			i++
-		case char == '\\':
+		} else if char == '\\' {
 			unescapedTrailingSpaces = 0
 			escaping = true
-		case char == '=':
+		} else if char == '=' {
-			attribute.Type = stringFromBuffer()
+			attribute.Type = buffer.String()
 			buffer.Reset()
 			// Special case: If the first character in the value is # the
 			// following data is BER encoded so we can just fast forward
 			// and decode.
@@ -132,21 +125,15 @@ func ParseDN(str string) (*DN, error) {
 				}
 				rawBER, err := enchex.DecodeString(data)
 				if err != nil {
-					return nil, fmt.Errorf("failed to decode BER encoding: %s", err)
+					return nil, fmt.Errorf("Failed to decode BER encoding: %s", err)
 				}
 				packet, err := ber.DecodePacketErr(rawBER)
 				if err != nil {
 					return nil, fmt.Errorf("failed to decode BER packet: %s", err)
 				}
 				packet := ber.DecodePacket(rawBER)
 				buffer.WriteString(packet.Data.String())
 				i += len(data) - 1
 			}
-		case char == ',' || char == '+':
+		} else if char == ',' || char == '+' {
 			// We're done with this RDN or value, push it
-			if len(attribute.Type) == 0 {
+			attribute.Value = buffer.String()
 				return nil, errors.New("incomplete type, value pair")
 			}
 			attribute.Value = stringFromBuffer()
 			rdn.Attributes = append(rdn.Attributes, attribute)
 			attribute = new(AttributeTypeAndValue)
 			if char == ',' {
@@ -154,17 +141,8 @@ func ParseDN(str string) (*DN, error) {
 				rdn = new(RelativeDN)
 				rdn.Attributes = make([]*AttributeTypeAndValue, 0)
 			}
-		case char == ' ' && buffer.Len() == 0:
+			buffer.Reset()
-			// ignore unescaped leading spaces
+		} else {
 			continue
 		default:
 			if char == ' ' {
 				// Track unescaped spaces in case they are trailing and we need to remove them
 				unescapedTrailingSpaces++
 			} else {
 				// Reset if we see a non-space char
 				unescapedTrailingSpaces = 0
 			}
 			buffer.WriteByte(char)
 		}
 	}
@@ -172,76 +150,9 @@ func ParseDN(str string) (*DN, error) {
 		if len(attribute.Type) == 0 {
 			return nil, errors.New("DN ended with incomplete type, value pair")
 		}
-		attribute.Value = stringFromBuffer()
+		attribute.Value = buffer.String()
 		rdn.Attributes = append(rdn.Attributes, attribute)
 		dn.RDNs = append(dn.RDNs, rdn)
 	}
 	return dn, nil
 }
 // Equal returns true if the DNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
 // Returns true if they have the same number of relative distinguished names
 // and corresponding relative distinguished names (by position) are the same.
 func (d *DN) Equal(other *DN) bool {
 	if len(d.RDNs) != len(other.RDNs) {
 		return false
 	}
 	for i := range d.RDNs {
 		if !d.RDNs[i].Equal(other.RDNs[i]) {
 			return false
 		}
 	}
 	return true
 }
 // AncestorOf returns true if the other DN consists of at least one RDN followed by all the RDNs of the current DN.
 // "ou=widgets,o=acme.com" is an ancestor of "ou=sprockets,ou=widgets,o=acme.com"
 // "ou=widgets,o=acme.com" is not an ancestor of "ou=sprockets,ou=widgets,o=foo.com"
 // "ou=widgets,o=acme.com" is not an ancestor of "ou=widgets,o=acme.com"
 func (d *DN) AncestorOf(other *DN) bool {
 	if len(d.RDNs) >= len(other.RDNs) {
 		return false
 	}
 	// Take the last `len(d.RDNs)` RDNs from the other DN to compare against
 	otherRDNs := other.RDNs[len(other.RDNs)-len(d.RDNs):]
 	for i := range d.RDNs {
 		if !d.RDNs[i].Equal(otherRDNs[i]) {
 			return false
 		}
 	}
 	return true
 }
 // Equal returns true if the RelativeDNs are equal as defined by rfc4517 4.2.15 (distinguishedNameMatch).
 // Relative distinguished names are the same if and only if they have the same number of AttributeTypeAndValues
 // and each attribute of the first RDN is the same as the attribute of the second RDN with the same attribute type.
 // The order of attributes is not significant.
 // Case of attribute types is not significant.
 func (r *RelativeDN) Equal(other *RelativeDN) bool {
 	if len(r.Attributes) != len(other.Attributes) {
 		return false
 	}
 	return r.hasAllAttributes(other.Attributes) && other.hasAllAttributes(r.Attributes)
 }
 func (r *RelativeDN) hasAllAttributes(attrs []*AttributeTypeAndValue) bool {
 	for _, attr := range attrs {
 		found := false
 		for _, myattr := range r.Attributes {
 			if myattr.Equal(attr) {
 				found = true
 				break
 			}
 		}
 		if !found {
 			return false
 		}
 	}
 	return true
 }
 // Equal returns true if the AttributeTypeAndValue is equivalent to the specified AttributeTypeAndValue
 // Case of the attribute type is not significant
 func (a *AttributeTypeAndValue) Equal(other *AttributeTypeAndValue) bool {
 	return strings.EqualFold(a.Type, other.Type) && a.Value == other.Value
 }
--- a/vendor/gopkg.in/ldap.v2/doc.go
+++ b/vendor/gopkg.in/ldap.v2/doc.go
--- a/vendor/gopkg.in/ldap.v2/error.go
+++ b/vendor/gopkg.in/ldap.v2/error.go
@@ -0,0 +1,148 @@
 package ldap
 import (
 	"fmt"
 	"gopkg.in/asn1-ber.v1"
 )
 // LDAP Result Codes
 const (
 	LDAPResultSuccess                      = 0
 	LDAPResultOperationsError              = 1
 	LDAPResultProtocolError                = 2
 	LDAPResultTimeLimitExceeded            = 3
 	LDAPResultSizeLimitExceeded            = 4
 	LDAPResultCompareFalse                 = 5
 	LDAPResultCompareTrue                  = 6
 	LDAPResultAuthMethodNotSupported       = 7
 	LDAPResultStrongAuthRequired           = 8
 	LDAPResultReferral                     = 10
 	LDAPResultAdminLimitExceeded           = 11
 	LDAPResultUnavailableCriticalExtension = 12
 	LDAPResultConfidentialityRequired      = 13
 	LDAPResultSaslBindInProgress           = 14
 	LDAPResultNoSuchAttribute              = 16
 	LDAPResultUndefinedAttributeType       = 17
 	LDAPResultInappropriateMatching        = 18
 	LDAPResultConstraintViolation          = 19
 	LDAPResultAttributeOrValueExists       = 20
 	LDAPResultInvalidAttributeSyntax       = 21
 	LDAPResultNoSuchObject                 = 32
 	LDAPResultAliasProblem                 = 33
 	LDAPResultInvalidDNSyntax              = 34
 	LDAPResultAliasDereferencingProblem    = 36
 	LDAPResultInappropriateAuthentication  = 48
 	LDAPResultInvalidCredentials           = 49
 	LDAPResultInsufficientAccessRights     = 50
 	LDAPResultBusy                         = 51
 	LDAPResultUnavailable                  = 52
 	LDAPResultUnwillingToPerform           = 53
 	LDAPResultLoopDetect                   = 54
 	LDAPResultNamingViolation              = 64
 	LDAPResultObjectClassViolation         = 65
 	LDAPResultNotAllowedOnNonLeaf          = 66
 	LDAPResultNotAllowedOnRDN              = 67
 	LDAPResultEntryAlreadyExists           = 68
 	LDAPResultObjectClassModsProhibited    = 69
 	LDAPResultAffectsMultipleDSAs          = 71
 	LDAPResultOther                        = 80
 	ErrorNetwork            = 200
 	ErrorFilterCompile      = 201
 	ErrorFilterDecompile    = 202
 	ErrorDebugging          = 203
 	ErrorUnexpectedMessage  = 204
 	ErrorUnexpectedResponse = 205
 )
 // LDAPResultCodeMap contains string descriptions for LDAP error codes
 var LDAPResultCodeMap = map[uint8]string{
 	LDAPResultSuccess:                      "Success",
 	LDAPResultOperationsError:              "Operations Error",
 	LDAPResultProtocolError:                "Protocol Error",
 	LDAPResultTimeLimitExceeded:            "Time Limit Exceeded",
 	LDAPResultSizeLimitExceeded:            "Size Limit Exceeded",
 	LDAPResultCompareFalse:                 "Compare False",
 	LDAPResultCompareTrue:                  "Compare True",
 	LDAPResultAuthMethodNotSupported:       "Auth Method Not Supported",
 	LDAPResultStrongAuthRequired:           "Strong Auth Required",
 	LDAPResultReferral:                     "Referral",
 	LDAPResultAdminLimitExceeded:           "Admin Limit Exceeded",
 	LDAPResultUnavailableCriticalExtension: "Unavailable Critical Extension",
 	LDAPResultConfidentialityRequired:      "Confidentiality Required",
 	LDAPResultSaslBindInProgress:           "Sasl Bind In Progress",
 	LDAPResultNoSuchAttribute:              "No Such Attribute",
 	LDAPResultUndefinedAttributeType:       "Undefined Attribute Type",
 	LDAPResultInappropriateMatching:        "Inappropriate Matching",
 	LDAPResultConstraintViolation:          "Constraint Violation",
 	LDAPResultAttributeOrValueExists:       "Attribute Or Value Exists",
 	LDAPResultInvalidAttributeSyntax:       "Invalid Attribute Syntax",
 	LDAPResultNoSuchObject:                 "No Such Object",
 	LDAPResultAliasProblem:                 "Alias Problem",
 	LDAPResultInvalidDNSyntax:              "Invalid DN Syntax",
 	LDAPResultAliasDereferencingProblem:    "Alias Dereferencing Problem",
 	LDAPResultInappropriateAuthentication:  "Inappropriate Authentication",
 	LDAPResultInvalidCredentials:           "Invalid Credentials",
 	LDAPResultInsufficientAccessRights:     "Insufficient Access Rights",
 	LDAPResultBusy:                         "Busy",
 	LDAPResultUnavailable:                  "Unavailable",
 	LDAPResultUnwillingToPerform:           "Unwilling To Perform",
 	LDAPResultLoopDetect:                   "Loop Detect",
 	LDAPResultNamingViolation:              "Naming Violation",
 	LDAPResultObjectClassViolation:         "Object Class Violation",
 	LDAPResultNotAllowedOnNonLeaf:          "Not Allowed On Non Leaf",
 	LDAPResultNotAllowedOnRDN:              "Not Allowed On RDN",
 	LDAPResultEntryAlreadyExists:           "Entry Already Exists",
 	LDAPResultObjectClassModsProhibited:    "Object Class Mods Prohibited",
 	LDAPResultAffectsMultipleDSAs:          "Affects Multiple DSAs",
 	LDAPResultOther:                        "Other",
 }
 func getLDAPResultCode(packet *ber.Packet) (code uint8, description string) {
 	if packet == nil {
 		return ErrorUnexpectedResponse, "Empty packet"
 	} else if len(packet.Children) >= 2 {
 		response := packet.Children[1]
 		if response == nil {
 			return ErrorUnexpectedResponse, "Empty response in packet"
 		}
 		if response.ClassType == ber.ClassApplication && response.TagType == ber.TypeConstructed && len(response.Children) >= 3 {
 			// Children[1].Children[2] is the diagnosticMessage which is guaranteed to exist as seen here: https://tools.ietf.org/html/rfc4511#section-4.1.9
 			return uint8(response.Children[0].Value.(int64)), response.Children[2].Value.(string)
 		}
 	}
 	return ErrorNetwork, "Invalid packet format"
 }
 // Error holds LDAP error information
 type Error struct {
 	// Err is the underlying error
 	Err error
 	// ResultCode is the LDAP error code
 	ResultCode uint8
 }
 func (e *Error) Error() string {
 	return fmt.Sprintf("LDAP Result Code %d %q: %s", e.ResultCode, LDAPResultCodeMap[e.ResultCode], e.Err.Error())
 }
 // NewError creates an LDAP error with the given code and underlying error
 func NewError(resultCode uint8, err error) error {
 	return &Error{ResultCode: resultCode, Err: err}
 }
 // IsErrorWithCode returns true if the given error is an LDAP error with the given result code
 func IsErrorWithCode(err error, desiredResultCode uint8) bool {
 	if err == nil {
 		return false
 	}
 	serverError, ok := err.(*Error)
 	if !ok {
 		return false
 	}
 	return serverError.ResultCode == desiredResultCode
 }
--- a/vendor/gopkg.in/ldap.v2/filter.go
+++ b/vendor/gopkg.in/ldap.v2/filter.go
@@ -1,3 +1,7 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package ldap
 import (
@@ -78,10 +82,7 @@ func CompileFilter(filter string) (*ber.Packet, error) {
 	if err != nil {
 		return nil, err
 	}
-	switch {
+	if pos != len(filter) {
 	case pos > len(filter):
 		return nil, NewError(ErrorFilterCompile, errors.New("ldap: unexpected end of filter"))
 	case pos < len(filter):
 		return nil, NewError(ErrorFilterCompile, errors.New("ldap: finished compiling filter with extra at end: "+fmt.Sprint(filter[pos:])))
 	}
 	return packet, nil
--- a/vendor/gopkg.in/ldap.v2/ldap.go
+++ b/vendor/gopkg.in/ldap.v2/ldap.go
@@ -1,12 +1,15 @@
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package ldap
 import (
 	"errors"
 	"fmt"
 	"io/ioutil"
 	"os"
-	"gopkg.in/asn1-ber.v1"
+	ber "gopkg.in/asn1-ber.v1"
 )
 // LDAP Application Codes
@@ -98,13 +101,13 @@ func addLDAPDescriptions(packet *ber.Packet) (err error) {
 	switch application {
 	case ApplicationBindRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationBindResponse:
-		err = addDefaultLDAPResponseDescriptions(packet)
+		addDefaultLDAPResponseDescriptions(packet)
 	case ApplicationUnbindRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationSearchRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationSearchResultEntry:
 		packet.Children[1].Children[0].Description = "Object Name"
 		packet.Children[1].Children[1].Description = "Attributes"
@@ -117,88 +120,53 @@ func addLDAPDescriptions(packet *ber.Packet) (err error) {
 			}
 		}
 		if len(packet.Children) == 3 {
-			err = addControlDescriptions(packet.Children[2])
+			addControlDescriptions(packet.Children[2])
 		}
 	case ApplicationSearchResultDone:
-		err = addDefaultLDAPResponseDescriptions(packet)
+		addDefaultLDAPResponseDescriptions(packet)
 	case ApplicationModifyRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationModifyResponse:
 	case ApplicationAddRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationAddResponse:
 	case ApplicationDelRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationDelResponse:
 	case ApplicationModifyDNRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationModifyDNResponse:
 	case ApplicationCompareRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationCompareResponse:
 	case ApplicationAbandonRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationSearchResultReference:
 	case ApplicationExtendedRequest:
-		err = addRequestDescriptions(packet)
+		addRequestDescriptions(packet)
 	case ApplicationExtendedResponse:
 	}
-	return err
+	return nil
 }
-func addControlDescriptions(packet *ber.Packet) error {
+func addControlDescriptions(packet *ber.Packet) {
 	packet.Description = "Controls"
 	for _, child := range packet.Children {
 		var value *ber.Packet
 		controlType := ""
 		child.Description = "Control"
-		switch len(child.Children) {
+		child.Children[0].Description = "Control Type (" + ControlTypeMap[child.Children[0].Value.(string)] + ")"
-		case 0:
+		value := child.Children[1]
-			// at least one child is required for control type
+		if len(child.Children) == 3 {
 			return fmt.Errorf("at least one child is required for control type")
 		case 1:
 			// just type, no criticality or value
 			controlType = child.Children[0].Value.(string)
 			child.Children[0].Description = "Control Type (" + ControlTypeMap[controlType] + ")"
 		case 2:
 			controlType = child.Children[0].Value.(string)
 			child.Children[0].Description = "Control Type (" + ControlTypeMap[controlType] + ")"
 			// Children[1] could be criticality or value (both are optional)
 			// duck-type on whether this is a boolean
 			if _, ok := child.Children[1].Value.(bool); ok {
 				child.Children[1].Description = "Criticality"
 			} else {
 				child.Children[1].Description = "Control Value"
 				value = child.Children[1]
 			}
 		case 3:
 			// criticality and value present
 			controlType = child.Children[0].Value.(string)
 			child.Children[0].Description = "Control Type (" + ControlTypeMap[controlType] + ")"
 			child.Children[1].Description = "Criticality"
 			child.Children[2].Description = "Control Value"
 			value = child.Children[2]
 		default:
 			// more than 3 children is invalid
 			return fmt.Errorf("more than 3 children for control packet found")
 		}
 		value.Description = "Control Value"
-		if value == nil {
+		switch child.Children[0].Value.(string) {
 			continue
 		}
 		switch controlType {
 		case ControlTypePaging:
 			value.Description += " (Paging)"
 			if value.Value != nil {
-				valueChildren, err := ber.DecodePacketErr(value.Data.Bytes())
+				valueChildren := ber.DecodePacket(value.Data.Bytes())
 				if err != nil {
 					return fmt.Errorf("failed to decode data bytes: %s", err)
 				}
 				value.Data.Truncate(0)
 				value.Value = nil
 				valueChildren.Children[1].Value = valueChildren.Children[1].Data.Bytes()
@@ -211,10 +179,7 @@ func addControlDescriptions(packet *ber.Packet) error {
 		case ControlTypeBeheraPasswordPolicy:
 			value.Description += " (Password Policy - Behera Draft)"
 			if value.Value != nil {
-				valueChildren, err := ber.DecodePacketErr(value.Data.Bytes())
+				valueChildren := ber.DecodePacket(value.Data.Bytes())
 				if err != nil {
 					return fmt.Errorf("failed to decode data bytes: %s", err)
 				}
 				value.Data.Truncate(0)
 				value.Value = nil
 				value.AppendChild(valueChildren)
@@ -223,29 +188,23 @@ func addControlDescriptions(packet *ber.Packet) error {
 			for _, child := range sequence.Children {
 				if child.Tag == 0 {
 					//Warning
-					warningPacket := child.Children[0]
+					child := child.Children[0]
-					packet, err := ber.DecodePacketErr(warningPacket.Data.Bytes())
+					packet := ber.DecodePacket(child.Data.Bytes())
 					if err != nil {
 						return fmt.Errorf("failed to decode data bytes: %s", err)
 					}
 					val, ok := packet.Value.(int64)
 					if ok {
-						if warningPacket.Tag == 0 {
+						if child.Tag == 0 {
 							//timeBeforeExpiration
 							value.Description += " (TimeBeforeExpiration)"
-							warningPacket.Value = val
+							child.Value = val
-						} else if warningPacket.Tag == 1 {
+						} else if child.Tag == 1 {
 							//graceAuthNsRemaining
 							value.Description += " (GraceAuthNsRemaining)"
-							warningPacket.Value = val
+							child.Value = val
 						}
 					}
 				} else if child.Tag == 1 {
 					// Error
-					packet, err := ber.DecodePacketErr(child.Data.Bytes())
+					packet := ber.DecodePacket(child.Data.Bytes())
 					if err != nil {
 						return fmt.Errorf("failed to decode data bytes: %s", err)
 					}
 					val, ok := packet.Value.(int8)
 					if !ok {
 						val = -1
@@ -256,31 +215,28 @@ func addControlDescriptions(packet *ber.Packet) error {
 			}
 		}
 	}
 	return nil
 }
-func addRequestDescriptions(packet *ber.Packet) error {
+func addRequestDescriptions(packet *ber.Packet) {
 	packet.Description = "LDAP Request"
 	packet.Children[0].Description = "Message ID"
 	packet.Children[1].Description = ApplicationMap[uint8(packet.Children[1].Tag)]
 	if len(packet.Children) == 3 {
-		return addControlDescriptions(packet.Children[2])
+		addControlDescriptions(packet.Children[2])
 	}
 	return nil
 }
-func addDefaultLDAPResponseDescriptions(packet *ber.Packet) error {
+func addDefaultLDAPResponseDescriptions(packet *ber.Packet) {
-	err := GetLDAPError(packet)
+	resultCode, _ := getLDAPResultCode(packet)
-	packet.Children[1].Children[0].Description = "Result Code (" + LDAPResultCodeMap[err.(*Error).ResultCode] + ")"
+	packet.Children[1].Children[0].Description = "Result Code (" + LDAPResultCodeMap[resultCode] + ")"
-	packet.Children[1].Children[1].Description = "Matched DN (" + err.(*Error).MatchedDN + ")"
+	packet.Children[1].Children[1].Description = "Matched DN"
 	packet.Children[1].Children[2].Description = "Error Message"
 	if len(packet.Children[1].Children) > 3 {
 		packet.Children[1].Children[3].Description = "Referral"
 	}
 	if len(packet.Children) == 3 {
-		return addControlDescriptions(packet.Children[2])
+		addControlDescriptions(packet.Children[2])
 	}
 	return nil
 }
 // DebugBinaryFile reads and prints packets from the given filename
@@ -290,13 +246,8 @@ func DebugBinaryFile(fileName string) error {
 		return NewError(ErrorDebugging, err)
 	}
 	ber.PrintBytes(os.Stdout, file, "")
-	packet, err := ber.DecodePacketErr(file)
+	packet := ber.DecodePacket(file)
-	if err != nil {
+	addLDAPDescriptions(packet)
 		return fmt.Errorf("failed to decode packet: %s", err)
 	}
 	if err := addLDAPDescriptions(packet); err != nil {
 		return err
 	}
 	ber.PrintPacket(packet)
 	return nil
--- a/vendor/gopkg.in/ldap.v2/modify.go
+++ b/vendor/gopkg.in/ldap.v2/modify.go
@@ -1,3 +1,7 @@
 // Copyright 2014 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 //
 // File contains Modify functionality
 //
 // https://tools.ietf.org/html/rfc4511
@@ -58,56 +62,54 @@ func (p *PartialAttribute) encode() *ber.Packet {
 	return seq
 }
 // Change for a ModifyRequest as defined in https://tools.ietf.org/html/rfc4511
 type Change struct {
 	// Operation is the type of change to be made
 	Operation uint
 	// Modification is the attribute to be modified
 	Modification PartialAttribute
 }
 func (c *Change) encode() *ber.Packet {
 	change := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Change")
 	change.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, uint64(c.Operation), "Operation"))
 	change.AppendChild(c.Modification.encode())
 	return change
 }
 // ModifyRequest as defined in https://tools.ietf.org/html/rfc4511
 type ModifyRequest struct {
 	// DN is the distinguishedName of the directory entry to modify
 	DN string
-	// Changes contain the attributes to modify
+	// AddAttributes contain the attributes to add
-	Changes []Change
+	AddAttributes []PartialAttribute
-	// Controls hold optional controls to send with the request
+	// DeleteAttributes contain the attributes to delete
-	Controls []Control
+	DeleteAttributes []PartialAttribute
 	// ReplaceAttributes contain the attributes to replace
 	ReplaceAttributes []PartialAttribute
 }
-// Add appends the given attribute to the list of changes to be made
+// Add inserts the given attribute to the list of attributes to add
 func (m *ModifyRequest) Add(attrType string, attrVals []string) {
-	m.appendChange(AddAttribute, attrType, attrVals)
+	m.AddAttributes = append(m.AddAttributes, PartialAttribute{Type: attrType, Vals: attrVals})
 }
-// Delete appends the given attribute to the list of changes to be made
+// Delete inserts the given attribute to the list of attributes to delete
 func (m *ModifyRequest) Delete(attrType string, attrVals []string) {
-	m.appendChange(DeleteAttribute, attrType, attrVals)
+	m.DeleteAttributes = append(m.DeleteAttributes, PartialAttribute{Type: attrType, Vals: attrVals})
 }
-// Replace appends the given attribute to the list of changes to be made
+// Replace inserts the given attribute to the list of attributes to replace
 func (m *ModifyRequest) Replace(attrType string, attrVals []string) {
-	m.appendChange(ReplaceAttribute, attrType, attrVals)
+	m.ReplaceAttributes = append(m.ReplaceAttributes, PartialAttribute{Type: attrType, Vals: attrVals})
 }
 func (m *ModifyRequest) appendChange(operation uint, attrType string, attrVals []string) {
 	m.Changes = append(m.Changes, Change{operation, PartialAttribute{Type: attrType, Vals: attrVals}})
 }
 func (m ModifyRequest) encode() *ber.Packet {
 	request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationModifyRequest, nil, "Modify Request")
 	request.AppendChild(ber.NewString(ber.ClassUniversal, ber.TypePrimitive, ber.TagOctetString, m.DN, "DN"))
 	changes := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Changes")
-	for _, change := range m.Changes {
+	for _, attribute := range m.AddAttributes {
-		changes.AppendChild(change.encode())
+		change := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Change")
 		change.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, uint64(AddAttribute), "Operation"))
 		change.AppendChild(attribute.encode())
 		changes.AppendChild(change)
 	}
 	for _, attribute := range m.DeleteAttributes {
 		change := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Change")
 		change.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, uint64(DeleteAttribute), "Operation"))
 		change.AppendChild(attribute.encode())
 		changes.AppendChild(change)
 	}
 	for _, attribute := range m.ReplaceAttributes {
 		change := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Change")
 		change.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagEnumerated, uint64(ReplaceAttribute), "Operation"))
 		change.AppendChild(attribute.encode())
 		changes.AppendChild(change)
 	}
 	request.AppendChild(changes)
 	return request
@@ -116,11 +118,9 @@ func (m ModifyRequest) encode() *ber.Packet {
 // NewModifyRequest creates a modify request for the given DN
 func NewModifyRequest(
 	dn string,
 	controls []Control,
 ) *ModifyRequest {
 	return &ModifyRequest{
-		DN:       dn,
+		DN: dn,
 		Controls: controls,
 	}
 }
@@ -129,9 +129,6 @@ func (l *Conn) Modify(modifyRequest *ModifyRequest) error {
 	packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
 	packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
 	packet.AppendChild(modifyRequest.encode())
 	if len(modifyRequest.Controls) > 0 {
 		packet.AppendChild(encodeControls(modifyRequest.Controls))
 	}
 	l.Debug.PrintPacket(packet)
@@ -160,9 +157,9 @@ func (l *Conn) Modify(modifyRequest *ModifyRequest) error {
 	}
 	if packet.Children[1].Tag == ApplicationModifyResponse {
-		err := GetLDAPError(packet)
+		resultCode, resultDescription := getLDAPResultCode(packet)
-		if err != nil {
+		if resultCode != 0 {
-			return err
+			return NewError(resultCode, errors.New(resultDescription))
 		}
 	} else {
 		log.Printf("Unexpected Response: %d", packet.Children[1].Tag)
--- a/Show More
+++ b/Show More