Enabling branch protection rules disables api requests without authorization token

[mattiasbpersson]

• Gitea version (or commit ref): Powered by Gitea Version: 1.11.3
• Git version: 2.17.1
• Operating system: Ubuntu
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • [ x] Yes (provide example URL) https://try.gitea.io/mattiasbpersson/test/settings/branches/master
  • No
  • Not relevant
• Log gist:

Description

When enabling "Branch Protection for Branch" you are no longer able to request the api for:
https://try.gitea.io/api/v1/repos/mattiasbpersson/test/branches

Example code run in script console in Jenkins:

import groovy.json.JsonSlurper

def REPO = "led-deploy"
def DEFAULT_BRANCH = "master"

List<String> branches = [DEFAULT_BRANCH]

URL url = new URL("https://try.gitea.io/api/v1/repos/mattiasbpersson/test/branches")

final slurper = new JsonSlurper()
def json = slurper.parse(url)
json.each { item ->
  branches << item.name
}

If branch protection is disabled master branch is returned. If it is enabled you get:
java.io.IOException: Server returned HTTP response code: 500 for URL: https://try.gitea.io/api/v1/repos/mattiasbpersson/test/branches
...

[guillep2k]

Could you please check your error log? There should be some error entries ([E]) related to that action that could be useful.

[mattiasbpersson]

Will try to find the logs too. Checked this PR and it (#9031) looks related:
https://github.com/go-gitea/gitea/pull/9031/files

[mattiasbpersson]

Is this enough?

2020/03/17 10:35:38 ...les/context/panic.go:35:1() [E] PANIC:: runtime error: invalid memory address or nil pointer dereference /usr/local/go/src/runtime/panic.go:199 (0x44c81b) /usr/local/go/src/runtime/signal_unix.go:394 (0x44c658) /go/src/code.gitea.io/gitea/modules/convert/convert.go:53 (0x1655835) /go/src/code.gitea.io/gitea/routers/api/v1/repo/branch.go:116 (0x1719038) /usr/local/go/src/reflect/value.go:460 (0x497965) /usr/local/go/src/reflect/value.go:321 (0x497123) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:177 (0x9b7de9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:137 (0x9b7799) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:112 (0xffd191) /go/src/code.gitea.io/gitea/modules/context/panic.go:39 (0xffd17d) /usr/local/go/src/reflect/value.go:460 (0x497965) /usr/local/go/src/reflect/value.go:321 (0x497123) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:177 (0x9b7de9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:137 (0x9b7799) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:112 (0xab6eb5) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/session/session.go:192 (0xab6ea0) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:79 (0x9e8810) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:157 (0x9b7af9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:135 (0x9b7888) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:112 (0x9f9f49) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/recovery.go:161 (0x9f9f37) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/logger.go:40 (0x9ec4e3) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:157 (0x9b7af9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:135 (0x9b7888) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:112 (0x180d616) /go/src/code.gitea.io/gitea/routers/routes/routes.go:67 (0x180d601) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:79 (0x9e8810) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:157 (0x9b7af9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:135 (0x9b7888) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:112 (0x180de5c) /go/src/code.gitea.io/gitea/routers/routes/routes.go:102 (0x180de47) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:79 (0x9e8810) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:157 (0x9b7af9) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/inject/inject.go:135 (0x9b7888) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/context.go:121 (0x9e8968) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/router.go:187 (0x9fb166) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/router.go:303 (0x9f4b45) /go/src/code.gitea.io/gitea/vendor/gitea.com/macaron/macaron/macaron.go:218 (0x9ed87a) /go/src/code.gitea.io/gitea/vendor/github.com/gorilla/context/context.go:141 (0xd3bc7d) /usr/local/go/src/net/http/server.go:2007 (0x757ba3) /usr/local/go/src/net/http/server.go:2802 (0x75aff3) /usr/local/go/src/net/http/server.go:1890 (0x756994) /usr/local/go/src/runtime/asm_amd64.s:1357 (0x466fb0)

[guillep2k]

Could you please provide the exact Gitea version this log comes from, so I can match with the sources? 1.13.8 is the version of Go used to build Gitea, not Gitea's version.

I can tell that the code around those lines is the culprit, but routers/api/v1/repo/branch.go:116 seems to point to an older version of the current file.

Note: I've tried with your link to try.gitea.io, but your repository seems private. It's expected that the call would fail, only not with error 500 but 404.

[mattiasbpersson]

I've updated the version, and think I added you as admin for: https://try.gitea.io/mattiasbpersson/test