fix(api): filter list-column-issues by project_board_id

ListProjectColumnIssues was returning every issue in the project regardless of which column was requested. The handler set ProjectIDs but had no way to constrain to a specific column, and applyProjectCondition only joined project_issue on project_id. Add IssuesOptions.ProjectColumnID and extend the single-project branch of applyProjectCondition to include project_board_id in the JOIN when set. Strengthen the integration test: previously it placed two issues in the project (default column) and asserted a column listing returned 2, which masked the bug. Now create two distinct columns, move one issue into each, and verify each column's listing returns exactly the issue it owns. Reported during e2e validation on git.oleks.space against the production fork (1.26.0-unstable-2026-05-11). Worth back-porting to upstream PR #37518.
chore(ddev): add build-gitea-frontend command
2026-05-12 16:12:42 +03:00 · 2026-05-11 17:14:35 +03:00 · 2026-05-11 16:57:08 +03:00 · 2026-05-11 15:58:32 +03:00 · 2026-05-11 15:58:29 +03:00 · 2026-05-11 15:53:17 +03:00
30 changed files with 4553 additions and 195 deletions
@@ -0,0 +1,18 @@
+# Whitelist approach: ignore everything in .ddev by default, then re-include
+# the files we author. DDEV regenerates the rest on `ddev start`.
+*
+!.gitignore
+!config.yaml
+!web-build/
+web-build/*
+!web-build/Dockerfile
+!commands/
+commands/*
+!commands/web/
+commands/web/*
+!commands/web/build-gitea
+!commands/web/build-gitea-frontend
+!gitea/
+gitea/*
+!gitea/app.ini
+!gitea/.gitignore
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+## Description: Build the gitea backend binary inside the web container
+## Usage: build-gitea
+## Example: ddev build-gitea
+
+set -eu
+cd /var/www/html
+echo "Building gitea backend (cgo, sqlite + sqlite_unlock_notify tags)..."
+make backend
+echo "Done. Restart the daemon: ddev restart"
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+## Description: Build the gitea frontend assets (CSS/JS) inside the web container
+## Usage: build-gitea-frontend
+## Example: ddev build-gitea-frontend
+
+set -eu
+cd /var/www/html
+echo "Installing frontend deps and building assets..."
+make deps-frontend
+make frontend
+echo "Done."
@@ -0,0 +1,31 @@
+name: gitea
+type: generic
+docroot: .
+webserver_type: generic
+nodejs_version: "24"
+corepack_enable: true
+
+webimage_extra_packages:
+  - make
+  - build-essential
+  - libsqlite3-dev
+
+database:
+  type: postgres
+  version: "17"
+
+# Route HTTPS (gitea.ddev.site) to gitea's port 3000 inside the web container
+web_extra_exposed_ports:
+  - name: gitea
+    container_port: 3000
+    http_port: 80
+    https_port: 443
+
+web_extra_daemons:
+  - name: gitea-web
+    command: "/var/www/html/gitea web --config /var/www/html/.ddev/gitea/app.ini"
+    directory: /var/www/html
+
+web_environment:
+  - GITEA_WORK_DIR=/var/www/html
+  - GITEA_CUSTOM=/var/www/html/.ddev/gitea
@@ -0,0 +1,5 @@
+data/
+repositories/
+indexers/
+queues/
+log/
@@ -0,0 +1,60 @@
+APP_NAME = Gitea (DDEV)
+RUN_MODE = dev
+WORK_PATH = /var/www/html
+
+[server]
+PROTOCOL = http
+HTTP_ADDR = 0.0.0.0
+HTTP_PORT = 3000
+DOMAIN = gitea.ddev.site
+ROOT_URL = https://gitea.ddev.site/
+SSH_DOMAIN = gitea.ddev.site
+DISABLE_SSH = true
+APP_DATA_PATH = /var/www/html/.ddev/gitea/data
+LFS_START_SERVER = false
+OFFLINE_MODE = true
+
+[database]
+DB_TYPE = postgres
+HOST = db:5432
+NAME = db
+USER = db
+PASSWD = db
+SSL_MODE = disable
+SCHEMA = public
+
+[repository]
+ROOT = /var/www/html/.ddev/gitea/repositories
+
+[security]
+INSTALL_LOCK = true
+SECRET_KEY = ddev-gitea-secret-key-placeholder
+INTERNAL_TOKEN = ddev-gitea-internal-token-placeholder
+
+[service]
+DISABLE_REGISTRATION = false
+REQUIRE_SIGNIN_VIEW = false
+DEFAULT_KEEP_EMAIL_PRIVATE = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+
+[log]
+ROOT_PATH = /var/www/html/.ddev/gitea/log
+MODE = console
+LEVEL = info
+
+[session]
+PROVIDER = memory
+
+[mailer]
+ENABLED = false
+
+[indexer]
+ISSUE_INDEXER_PATH = /var/www/html/.ddev/gitea/indexers/issues.bleve
+REPO_INDEXER_PATH = /var/www/html/.ddev/gitea/indexers/repos.bleve
+
+[queue]
+TYPE = level
+DATADIR = /var/www/html/.ddev/gitea/queues
+
+[oauth2]
+JWT_SECRET = Ox7IRtBouaVq1kogqXCOce5NZLi0OL42SbkRKLZvHY4
@@ -0,0 +1,25 @@
+ARG BASE_IMAGE
+FROM $BASE_IMAGE
+
+# Install Go 1.26 — DDEV's base image doesn't ship Go
+ENV GO_VERSION=1.26.3
+RUN set -eux; \
+    arch="$(dpkg --print-architecture)"; \
+    case "$arch" in \
+      amd64)  GO_ARCH=amd64 ;; \
+      arm64)  GO_ARCH=arm64 ;; \
+      *)      echo "unsupported arch $arch" >&2; exit 1 ;; \
+    esac; \
+    curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-${GO_ARCH}.tar.gz" -o /tmp/go.tgz; \
+    tar -C /usr/local -xzf /tmp/go.tgz; \
+    rm /tmp/go.tgz
+ENV GOPATH=/var/www/html/.ddev/gocache/path
+ENV GOCACHE=/var/www/html/.ddev/gocache/build
+ENV PATH="/usr/local/go/bin:${GOPATH}/bin:${PATH}"
+
+# git, build-essential, sqlite, and node 24 are already in the ddev-webserver base
+RUN go version
+
+# Pre-warm pnpm cache root for the build step
+ENV PNPM_HOME=/var/www/html/.ddev/gocache/pnpm
+ENV PATH="${PNPM_HOME}:${PATH}"
@@ -27,67 +27,72 @@
    {
      devShells = forEachSupportedSystem (
        { pkgs, ... }:
+        let
+          inherit (pkgs) lib;
+
+          # only bump toolchain versions here
+          go = pkgs.go_1_26;
+          nodejs = pkgs.nodejs_24;
+          python3 = pkgs.python314;
+          pnpm = pkgs.pnpm_10;
+
+          commonPackages = with pkgs; [
+            # generic
+            git
+            git-lfs
+            gnumake
+            gnused
+            gnutar
+            gzip
+            zip
+
+            # frontend
+            nodejs
+            pnpm
+            cairo
+            pixman
+            pkg-config
+
+            # linting
+            python3
+            uv
+
+            # backend
+            go
+            gofumpt
+            sqlite
+            golangci-lint
+            govulncheck
+            tea
+          ];
+
+          commonEnv = {
+            GO = "${go}/bin/go";
+            GOROOT = "${go}/share/go";
+            TAGS = "";
+          };
+        in
        {
-          default =
-            let
-              inherit (pkgs) lib;
+          # production build shell: cgo links statically against glibc.static
+          default = pkgs.mkShell {
+            packages = commonPackages ++ lib.optionals pkgs.stdenv.isLinux [ pkgs.glibc.static ];

-              # only bump toolchain versions here
-              go = pkgs.go_1_26;
-              nodejs = pkgs.nodejs_24;
-              python3 = pkgs.python314;
-              pnpm = pkgs.pnpm_10;
-
-              # Platform-specific dependencies
-              linuxOnlyInputs = lib.optionals pkgs.stdenv.isLinux [
-                pkgs.glibc.static
-              ];
-
-              linuxOnlyEnv = lib.optionalAttrs pkgs.stdenv.isLinux {
+            env =
+              commonEnv
+              // {
+                STATIC = "true";
+              }
+              // lib.optionalAttrs pkgs.stdenv.isLinux {
                CFLAGS = "-I${pkgs.glibc.static.dev}/include";
                LDFLAGS = "-L ${pkgs.glibc.static}/lib";
              };
-            in
-            pkgs.mkShell {
-              packages =
-                with pkgs;
-                [
-                  # generic
-                  git
-                  git-lfs
-                  gnumake
-                  gnused
-                  gnutar
-                  gzip
-                  zip
+          };

-                  # frontend
-                  nodejs
-                  pnpm
-                  cairo
-                  pixman
-                  pkg-config
-
-                  # linting
-                  python3
-                  uv
-
-                  # backend
-                  go
-                  gofumpt
-                  sqlite
-                ]
-                ++ linuxOnlyInputs;
-
-              env = {
-                GO = "${go}/bin/go";
-                GOROOT = "${go}/share/go";
-
-                TAGS = "";
-                STATIC = "true";
-              }
-              // linuxOnlyEnv;
-            };
+          # test/dev shell: no static glibc — avoids cgo NSS segfaults in `go test`
+          test = pkgs.mkShell {
+            packages = commonPackages;
+            env = commonEnv;
+          };
        }
      );
    };
@@ -22,7 +22,11 @@ import (
 	"xorm.io/xorm"
 )

-const ScopeSortPrefix = "scope-"
+const (
+	ScopeSortPrefix = "scope-"
+	// SortTypeProjectColumnSorting orders issues within a project column by their project_issue.sorting value.
+	SortTypeProjectColumnSorting = "project-column-sorting"
+)

 // IssuesOptions represents options of an issue.
 type IssuesOptions struct { //nolint:revive // export stutter
@@ -38,6 +42,7 @@ type IssuesOptions struct { //nolint:revive // export stutter
 	SubscriberID       int64
 	MilestoneIDs       []int64
 	ProjectIDs         []int64
+	ProjectColumnID    int64
 	IsClosed           optional.Option[bool]
 	IsPull             optional.Option[bool]
 	LabelIDs           []int64
@@ -122,7 +127,7 @@ func applySorts(sess *xorm.Session, sortType string, priorityRepoID int64) {
 			"ELSE 2 END ASC", priorityRepoID).
 			Desc("issue.created_unix").
 			Desc("issue.id")
-	case "project-column-sorting":
+	case SortTypeProjectColumnSorting:
 		sess.Asc("project_issue.sorting").Desc("issue.created_unix").Desc("issue.id")
 	default:
 		sess.Desc("issue.created_unix").Desc("issue.id")
@@ -202,7 +207,13 @@ func applyProjectCondition(sess *xorm.Session, opts *IssuesOptions) {
 	if len(projectIDs) == 1 && projectIDs[0] == db.NoConditionID { // show those that are in no project
 		sess.And(builder.NotIn("issue.id", builder.Select("issue_id").From("project_issue")))
 	} else if len(projectIDs) == 1 && projectIDs[0] > 0 { // single specific project
-		sess.Join("INNER", "project_issue", "issue.id = project_issue.issue_id AND project_issue.project_id = ?", projectIDs[0])
+		if opts.ProjectColumnID > 0 {
+			sess.Join("INNER", "project_issue",
+				"issue.id = project_issue.issue_id AND project_issue.project_id = ? AND project_issue.project_board_id = ?",
+				projectIDs[0], opts.ProjectColumnID)
+		} else {
+			sess.Join("INNER", "project_issue", "issue.id = project_issue.issue_id AND project_issue.project_id = ?", projectIDs[0])
+		}
 	} else if len(projectIDs) > 1 { // multiple projects
 		// FIXME: ISSUE-MULTIPLE-PROJECTS-FILTER: this logic is not right, it should use "AND" but not "OR"
 		sess.And(builder.In("issue.id", builder.Select("issue_id").From("project_issue").Where(builder.In("project_id", projectIDs))))
@@ -337,20 +337,6 @@ func SetDefaultColumn(ctx context.Context, projectID, columnID int64) error {
 	})
 }

-func GetColumnsByIDs(ctx context.Context, projectID int64, columnsIDs []int64) (ColumnList, error) {
-	columns := make([]*Column, 0, 5)
-	if len(columnsIDs) == 0 {
-		return columns, nil
-	}
-	if err := db.GetEngine(ctx).
-		Where("project_id =?", projectID).
-		In("id", columnsIDs).
-		OrderBy("sorting").Find(&columns); err != nil {
-		return nil, err
-	}
-	return columns, nil
-}
-
 // MoveColumnsOnProject sorts columns in a project
 func MoveColumnsOnProject(ctx context.Context, project *Project, sortedColumnIDs map[int64]int64) error {
 	return db.WithTx(ctx, func(ctx context.Context) error {
@@ -0,0 +1,42 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+)
+
+// CountProjectColumns returns the total number of columns for a project
+func CountProjectColumns(ctx context.Context, projectID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("project_id=?", projectID).Count(&Column{})
+}
+
+// GetProjectColumns returns a list of columns for a project with pagination
+func GetProjectColumns(ctx context.Context, projectID int64, opts db.ListOptions) (ColumnList, error) {
+	columns := make([]*Column, 0, opts.PageSize)
+	s := db.GetEngine(ctx).Where("project_id=?", projectID).OrderBy("sorting, id")
+	if !opts.IsListAll() {
+		db.SetSessionPagination(s, &opts)
+	}
+	if err := s.Find(&columns); err != nil {
+		return nil, err
+	}
+	return columns, nil
+}
+
+func GetColumnsByIDs(ctx context.Context, projectID int64, columnsIDs []int64) (ColumnList, error) {
+	columns := make([]*Column, 0, len(columnsIDs))
+	if len(columnsIDs) == 0 {
+		return columns, nil
+	}
+	if err := db.GetEngine(ctx).
+		Where("project_id =?", projectID).
+		In("id", columnsIDs).
+		OrderBy("sorting").Find(&columns); err != nil {
+		return nil, err
+	}
+	return columns, nil
+}
@@ -0,0 +1,66 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestProjectColumns(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	t.Run("CountProjectColumns", testCountProjectColumns)
+	t.Run("GetProjectColumns", testGetProjectColumns)
+	t.Run("GetColumnsByIDs", testGetColumnsByIDs)
+}
+
+func testCountProjectColumns(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	count, err := CountProjectColumns(t.Context(), project.ID)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 3, count)
+}
+
+func testGetProjectColumns(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	// Page 1, limit 2 — returns first 2 columns
+	page1, err := GetProjectColumns(t.Context(), project.ID, db.ListOptions{Page: 1, PageSize: 2})
+	assert.NoError(t, err)
+	assert.Len(t, page1, 2)
+
+	// Page 2, limit 2 — returns remaining column
+	page2, err := GetProjectColumns(t.Context(), project.ID, db.ListOptions{Page: 2, PageSize: 2})
+	assert.NoError(t, err)
+	assert.Len(t, page2, 1)
+
+	// Page 1 and page 2 together cover all columns with no overlap
+	allIDs := make(map[int64]bool)
+	for _, c := range append(page1, page2...) {
+		assert.False(t, allIDs[c.ID], "duplicate column ID %d across pages", c.ID)
+		allIDs[c.ID] = true
+	}
+	assert.Len(t, allIDs, 3)
+}
+
+func testGetColumnsByIDs(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	columns, err := GetColumnsByIDs(t.Context(), project.ID, []int64{1, 3, 4})
+	assert.NoError(t, err)
+	assert.Len(t, columns, 2)
+	assert.ElementsMatch(t, []int64{1, 3}, []int64{columns[0].ID, columns[1].ID})
+
+	empty, err := GetColumnsByIDs(t.Context(), project.ID, nil)
+	assert.NoError(t, err)
+	assert.Empty(t, empty)
+}
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"testing"

+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"

 	"github.com/stretchr/testify/assert"
@@ -79,7 +80,7 @@ func Test_MoveColumnsOnProject(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

 	project1 := unittest.AssertExistsAndLoadBean(t, &Project{ID: 1})
-	columns, err := project1.GetColumns(t.Context())
+	columns, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)
 	assert.EqualValues(t, 0, columns[0].Sorting) // even if there is no default sorting, the code should also work
@@ -93,7 +94,7 @@ func Test_MoveColumnsOnProject(t *testing.T) {
 	})
 	assert.NoError(t, err)

-	columnsAfter, err := project1.GetColumns(t.Context())
+	columnsAfter, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columnsAfter, 3)
 	assert.Equal(t, columns[1].ID, columnsAfter[0].ID)
@@ -105,7 +106,7 @@ func Test_NewColumn(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())

 	project1 := unittest.AssertExistsAndLoadBean(t, &Project{ID: 1})
-	columns, err := project1.GetColumns(t.Context())
+	columns, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)

@@ -33,6 +33,14 @@ func deleteProjectIssuesByProjectID(ctx context.Context, projectID int64) error
 	return err
 }

+func IsIssueInColumn(ctx context.Context, issueID, projectID, columnID int64) (bool, error) {
+	return db.GetEngine(ctx).Exist(&ProjectIssue{
+		IssueID:         issueID,
+		ProjectID:       projectID,
+		ProjectColumnID: columnID,
+	})
+}
+
 // GetColumnIssueNextSorting returns the sorting value to append an issue at the end of the column.
 func GetColumnIssueNextSorting(ctx context.Context, projectID, columnID int64) (int64, error) {
 	res := struct {
@@ -87,3 +95,19 @@ func DeleteAllProjectIssueByIssueIDsAndProjectIDs(ctx context.Context, issueIDs,
 	_, err := db.GetEngine(ctx).In("project_id", projectIDs).In("issue_id", issueIDs).Delete(&ProjectIssue{})
 	return err
 }
+
+// MoveIssueToColumn moves a single issue to a specific column within a project.
+func MoveIssueToColumn(ctx context.Context, issueID, projectID, columnID int64) error {
+	nextSorting, err := GetColumnIssueNextSorting(ctx, projectID, columnID)
+	if err != nil {
+		return err
+	}
+	_, err = db.GetEngine(ctx).
+		Where("issue_id=? AND project_id=?", issueID, projectID).
+		Cols("project_board_id", "sorting").
+		Update(&ProjectIssue{
+			ProjectColumnID: columnID,
+			Sorting:         nextSorting,
+		})
+	return err
+}
@@ -97,7 +97,7 @@ func ToSearchOptions(keyword string, opts *issues_model.IssuesOptions) *SearchOp
 		searchOpt.SortBy = SortByDeadlineAsc
 	case "farduedate":
 		searchOpt.SortBy = SortByDeadlineDesc
-	case "priority", "priorityrepo", "project-column-sorting":
+	case "priority", "priorityrepo", issues_model.SortTypeProjectColumnSorting:
 		// Unsupported sort type for search
 		fallthrough
 	default:
@@ -7,27 +7,101 @@ import (
 	"time"
 )

-// Project represents a project
+// Project represents a project.
+//
+// Gitea projects can only contain issues — note cards and pull requests are
+// not modeled as project items.
+//
 // swagger:model
 type Project struct {
-	// ID is the unique identifier for the project
-	ID int64 `json:"id"`
-	// Title is the title of the project
-	Title string `json:"title"`
-	// Description provides details about the project
-	Description string `json:"description"`
-	// OwnerID is the owner of the project (for org-level projects)
-	OwnerID int64 `json:"owner_id,omitempty"`
-	// RepoID is the repository this project belongs to (for repo-level projects)
-	RepoID int64 `json:"repo_id,omitempty"`
-	// CreatorID is the user who created the project
-	CreatorID int64 `json:"creator_id"`
-	// IsClosed indicates if the project is closed
-	IsClosed bool `json:"is_closed"`
+	ID          int64     `json:"id"`
+	Title       string    `json:"title"`
+	Description string    `json:"description"`
+	OwnerID     int64     `json:"owner_id,omitempty"`
+	RepoID      int64     `json:"repo_id,omitempty"`
+	Creator     *User     `json:"creator,omitempty"`
+	State       StateType `json:"state"`
+	// Template type: "none", "basic_kanban" or "bug_triage"
+	TemplateType string `json:"template_type"`
+	// Card type: "text_only" or "images_and_text"
+	CardType string `json:"card_type"`
+	// Project type: "individual", "repository" or "organization"
+	Type            string `json:"type"`
+	NumOpenIssues   int64  `json:"num_open_issues,omitempty"`
+	NumClosedIssues int64  `json:"num_closed_issues,omitempty"`
+	NumIssues       int64  `json:"num_issues,omitempty"`
 	// swagger:strfmt date-time
-	Created time.Time `json:"created_at"`
+	CreatedAt time.Time `json:"created_at"`
 	// swagger:strfmt date-time
-	Updated time.Time `json:"updated_at"`
+	UpdatedAt time.Time `json:"updated_at"`
 	// swagger:strfmt date-time
-	Closed *time.Time `json:"closed_at,omitempty"`
+	ClosedAt *time.Time `json:"closed_at,omitempty"`
+	HTMLURL  string     `json:"html_url,omitempty"`
+}
+
+// CreateProjectOption represents options for creating a project
+// swagger:model
+type CreateProjectOption struct {
+	// required: true
+	Title       string `json:"title" binding:"Required"`
+	Description string `json:"description"`
+	// Template type: "none", "basic_kanban" or "bug_triage"
+	TemplateType string `json:"template_type"`
+	// Card type: "text_only" or "images_and_text"
+	CardType string `json:"card_type"`
+}
+
+// EditProjectOption represents options for editing a project
+// swagger:model
+type EditProjectOption struct {
+	Title       *string `json:"title,omitempty"`
+	Description *string `json:"description,omitempty"`
+	// Card type: "text_only" or "images_and_text"
+	CardType *string    `json:"card_type,omitempty"`
+	State    *StateType `json:"state,omitempty"`
+}
+
+// ProjectColumn represents a project column (board)
+// swagger:model
+type ProjectColumn struct {
+	ID        int64  `json:"id"`
+	Title     string `json:"title"`
+	Default   bool   `json:"default"`
+	Sorting   int    `json:"sorting"`
+	Color     string `json:"color,omitempty"`
+	ProjectID int64  `json:"project_id"`
+	Creator   *User  `json:"creator,omitempty"`
+	NumIssues int64  `json:"num_issues,omitempty"`
+	// swagger:strfmt date-time
+	CreatedAt time.Time `json:"created_at"`
+	// swagger:strfmt date-time
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+// CreateProjectColumnOption represents options for creating a project column
+// swagger:model
+type CreateProjectColumnOption struct {
+	// required: true
+	Title string `json:"title" binding:"Required"`
+	// Column color in 6-digit hex format, e.g. #FF0000
+	Color string `json:"color,omitempty"`
+}
+
+// EditProjectColumnOption represents options for editing a project column
+// swagger:model
+type EditProjectColumnOption struct {
+	Title *string `json:"title,omitempty"`
+	// Column color in 6-digit hex format, e.g. #FF0000
+	Color   *string `json:"color,omitempty"`
+	Sorting *int    `json:"sorting,omitempty"`
+}
+
+// MoveProjectIssueOption represents options for moving an issue between columns
+// swagger:model
+type MoveProjectIssueOption struct {
+	// Target column to move the issue into
+	// required: true
+	ColumnID int64 `json:"column_id" binding:"Required"`
+	// Optional sorting position within the target column
+	Sorting *int64 `json:"sorting,omitempty"`
 }
@@ -1575,6 +1575,26 @@ func Routes() *web.Router {
 						Patch(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).
 						Delete(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)
 				})
+				m.Group("/projects", func() {
+					m.Combo("").Get(repo.ListProjects).
+						Post(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.CreateProjectOption{}), repo.CreateProject)
+					m.Group("/{id}", func() {
+						m.Combo("").Get(repo.GetProject).
+							Patch(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.EditProjectOption{}), repo.EditProject).
+							Delete(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.DeleteProject)
+						m.Combo("/columns").Get(repo.ListProjectColumns).
+							Post(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.CreateProjectColumnOption{}), repo.CreateProjectColumn)
+						m.Group("/columns/{column_id}", func() {
+							m.Combo("").
+								Patch(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.EditProjectColumnOption{}), repo.EditProjectColumn).
+								Delete(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.DeleteProjectColumn)
+							m.Get("/issues", repo.ListProjectColumnIssues)
+							m.Post("/issues/{issue_id}", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.AddIssueToProjectColumn)
+							m.Delete("/issues/{issue_id}", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.RemoveIssueFromProjectColumn)
+						})
+						m.Post("/issues/{issue_id}/move", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.MoveProjectIssueOption{}), repo.MoveProjectIssue)
+					})
+				}, reqRepoReader(unit.TypeProjects))
 			}, repoAssignment(), checkTokenPublicOnly())
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryIssue))

@@ -233,4 +233,17 @@ type swaggerParameterBodies struct {

 	// in:body
 	LockIssueOption api.LockIssueOption
+
+	// in:body
+	CreateProjectOption api.CreateProjectOption
+	// in:body
+	EditProjectOption api.EditProjectOption
+
+	// in:body
+	CreateProjectColumnOption api.CreateProjectColumnOption
+	// in:body
+	EditProjectColumnOption api.EditProjectColumnOption
+
+	// in:body
+	MoveProjectIssueOption api.MoveProjectIssueOption
 }
@@ -0,0 +1,36 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package swagger
+
+import (
+	api "code.gitea.io/gitea/modules/structs"
+)
+
+// Project
+// swagger:response Project
+type swaggerResponseProject struct {
+	// in:body
+	Body api.Project `json:"body"`
+}
+
+// ProjectList
+// swagger:response ProjectList
+type swaggerResponseProjectList struct {
+	// in:body
+	Body []api.Project `json:"body"`
+}
+
+// ProjectColumn
+// swagger:response ProjectColumn
+type swaggerResponseProjectColumn struct {
+	// in:body
+	Body api.ProjectColumn `json:"body"`
+}
+
+// ProjectColumnList
+// swagger:response ProjectColumnList
+type swaggerResponseProjectColumnList struct {
+	// in:body
+	Body []api.ProjectColumn `json:"body"`
+}
@@ -309,7 +309,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}

-	columns, err := project.GetColumns(ctx)
+	columns, err := project_model.GetProjectColumns(ctx, project.ID, db.ListOptionsAll)
 	if err != nil {
 		ctx.ServerError("GetProjectColumns", err)
 		return
@@ -449,6 +449,14 @@ func UpdateIssueProject(ctx *context.Context) {
 	}

 	projectIDs := ctx.FormStringInt64s("id")
+	// Remove zero values - id=0 means "remove from all projects"
+	filteredIDs := make([]int64, 0, len(projectIDs))
+	for _, id := range projectIDs {
+		if id != 0 {
+			filteredIDs = append(filteredIDs, id)
+		}
+	}
+	projectIDs = filteredIDs
 	var failedIssues []int64
 	for _, issue := range issues {
 		if err := issues_model.IssueAssignOrRemoveProject(ctx, issue, ctx.Doer, projectIDs); err != nil {
@@ -99,7 +99,7 @@ func toIssue(ctx context.Context, doer *user_model.User, issue *issues_model.Iss
 		return &api.Issue{}
 	}
 	if len(issue.Projects) > 0 {
-		apiIssue.Projects = ToAPIProjectList(issue.Projects)
+		apiIssue.Projects = ToProjectList(ctx, issue.Projects, doer)
 	}

 	if err := issue.LoadAssignees(ctx); err != nil {
@@ -4,34 +4,179 @@
 package convert

 import (
+	"context"
+	"fmt"
+
 	project_model "code.gitea.io/gitea/models/project"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/container"
 	api "code.gitea.io/gitea/modules/structs"
 )

-// ToAPIProject converts a Project to API format
-func ToAPIProject(p *project_model.Project) *api.Project {
-	apiProject := &api.Project{
-		ID:          p.ID,
-		Title:       p.Title,
-		Description: p.Description,
-		OwnerID:     p.OwnerID,
-		RepoID:      p.RepoID,
-		CreatorID:   p.CreatorID,
-		IsClosed:    p.IsClosed,
-		Created:     p.CreatedUnix.AsTime(),
-		Updated:     p.UpdatedUnix.AsTime(),
+func ProjectTemplateTypeToString(t project_model.TemplateType) string {
+	switch t {
+	case project_model.TemplateTypeBasicKanban:
+		return "basic_kanban"
+	case project_model.TemplateTypeBugTriage:
+		return "bug_triage"
+	default:
+		return "none"
 	}
-	if p.IsClosed && p.ClosedDateUnix > 0 {
-		apiProject.Closed = p.ClosedDateUnix.AsTimePtr()
-	}
-	return apiProject
 }

-// ToAPIProjectList converts a list of Projects to API format
-func ToAPIProjectList(projects []*project_model.Project) []*api.Project {
+func ProjectTemplateTypeFromString(s string) (project_model.TemplateType, error) {
+	switch s {
+	case "", "none":
+		return project_model.TemplateTypeNone, nil
+	case "basic_kanban":
+		return project_model.TemplateTypeBasicKanban, nil
+	case "bug_triage":
+		return project_model.TemplateTypeBugTriage, nil
+	default:
+		return 0, fmt.Errorf("invalid template_type %q (expected none, basic_kanban, bug_triage)", s)
+	}
+}
+
+func ProjectCardTypeToString(t project_model.CardType) string {
+	switch t {
+	case project_model.CardTypeImagesAndText:
+		return "images_and_text"
+	default:
+		return "text_only"
+	}
+}
+
+func ProjectCardTypeFromString(s string) (project_model.CardType, error) {
+	switch s {
+	case "", "text_only":
+		return project_model.CardTypeTextOnly, nil
+	case "images_and_text":
+		return project_model.CardTypeImagesAndText, nil
+	default:
+		return 0, fmt.Errorf("invalid card_type %q (expected text_only, images_and_text)", s)
+	}
+}
+
+func ProjectTypeToString(t project_model.Type) string {
+	switch t {
+	case project_model.TypeIndividual:
+		return "individual"
+	case project_model.TypeRepository:
+		return "repository"
+	case project_model.TypeOrganization:
+		return "organization"
+	default:
+		return ""
+	}
+}
+
+// loadProjectCreators batch-fetches creators for the given projects + columns and
+// returns a map keyed by user ID. Errors are surfaced; missing users are silently
+// skipped (their creator field stays nil), matching the convention of other list
+// converters that tolerate deleted users.
+func loadProjectCreators(ctx context.Context, projects []*project_model.Project, columns []*project_model.Column) (map[int64]*user_model.User, error) {
+	idSet := container.Set[int64]{}
+	for _, p := range projects {
+		if p.CreatorID > 0 {
+			idSet.Add(p.CreatorID)
+		}
+	}
+	for _, c := range columns {
+		if c.CreatorID > 0 {
+			idSet.Add(c.CreatorID)
+		}
+	}
+	if len(idSet) == 0 {
+		return map[int64]*user_model.User{}, nil
+	}
+	return user_model.GetUsersMapByIDs(ctx, idSet.Values())
+}
+
+// ToProject converts a project_model.Project to api.Project.
+// Caller is expected to preload p.Repo / p.Owner to avoid N+1 lookups.
+func ToProject(ctx context.Context, p *project_model.Project, doer *user_model.User) *api.Project {
+	creators, _ := loadProjectCreators(ctx, []*project_model.Project{p}, nil)
+	return toProject(ctx, p, doer, creators)
+}
+
+func toProject(ctx context.Context, p *project_model.Project, doer *user_model.User, creators map[int64]*user_model.User) *api.Project {
+	state := api.StateOpen
+	if p.IsClosed {
+		state = api.StateClosed
+	}
+
+	project := &api.Project{
+		ID:              p.ID,
+		Title:           p.Title,
+		Description:     p.Description,
+		OwnerID:         p.OwnerID,
+		RepoID:          p.RepoID,
+		State:           state,
+		TemplateType:    ProjectTemplateTypeToString(p.TemplateType),
+		CardType:        ProjectCardTypeToString(p.CardType),
+		Type:            ProjectTypeToString(p.Type),
+		NumOpenIssues:   p.NumOpenIssues,
+		NumClosedIssues: p.NumClosedIssues,
+		NumIssues:       p.NumIssues,
+		CreatedAt:       p.CreatedUnix.AsTime(),
+		UpdatedAt:       p.UpdatedUnix.AsTime(),
+	}
+
+	if p.ClosedDateUnix > 0 {
+		t := p.ClosedDateUnix.AsTime()
+		project.ClosedAt = &t
+	}
+
+	if creator, ok := creators[p.CreatorID]; ok {
+		project.Creator = ToUser(ctx, creator, doer)
+	}
+
+	if p.Type == project_model.TypeRepository && p.Repo != nil {
+		project.HTMLURL = p.Repo.HTMLURL() + fmt.Sprintf("/projects/%d", p.ID)
+	} else if p.Owner != nil {
+		project.HTMLURL = p.Owner.HTMLURL(ctx) + fmt.Sprintf("/-/projects/%d", p.ID)
+	}
+
+	return project
+}
+
+func ToProjectColumn(ctx context.Context, column *project_model.Column, doer *user_model.User) *api.ProjectColumn {
+	creators, _ := loadProjectCreators(ctx, nil, []*project_model.Column{column})
+	return toProjectColumn(ctx, column, doer, creators)
+}
+
+func toProjectColumn(ctx context.Context, column *project_model.Column, doer *user_model.User, creators map[int64]*user_model.User) *api.ProjectColumn {
+	apiColumn := &api.ProjectColumn{
+		ID:        column.ID,
+		Title:     column.Title,
+		Default:   column.Default,
+		Sorting:   int(column.Sorting),
+		Color:     column.Color,
+		ProjectID: column.ProjectID,
+		NumIssues: column.NumIssues,
+		CreatedAt: column.CreatedUnix.AsTime(),
+		UpdatedAt: column.UpdatedUnix.AsTime(),
+	}
+	if creator, ok := creators[column.CreatorID]; ok {
+		apiColumn.Creator = ToUser(ctx, creator, doer)
+	}
+	return apiColumn
+}
+
+func ToProjectList(ctx context.Context, projects []*project_model.Project, doer *user_model.User) []*api.Project {
+	creators, _ := loadProjectCreators(ctx, projects, nil)
 	result := make([]*api.Project, len(projects))
-	for i := range projects {
-		result[i] = ToAPIProject(projects[i])
+	for i, p := range projects {
+		result[i] = toProject(ctx, p, doer, creators)
+	}
+	return result
+}
+
+func ToProjectColumnList(ctx context.Context, columns []*project_model.Column, doer *user_model.User) []*api.ProjectColumn {
+	creators, _ := loadProjectCreators(ctx, nil, columns)
+	result := make([]*api.ProjectColumn, len(columns))
+	for i, column := range columns {
+		result[i] = toProjectColumn(ctx, column, doer, creators)
 	}
 	return result
 }
@@ -17,6 +17,10 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 )

+// ErrIssueNotInProject is returned when MoveIssuesOnProjectColumn is asked to move
+// issues that aren't yet attached to the column's project.
+var ErrIssueNotInProject = errors.New("all issues have to be added to a project first")
+
 // MoveIssuesOnProjectColumn moves or keeps issues in a column and sorts them inside that column
 func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, column *project_model.Column, sortedIssueIDs map[int64]int64) error {
 	return db.WithTx(ctx, func(ctx context.Context) error {
@@ -32,7 +36,7 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 			return err
 		}
 		if int(count) != len(sortedIssueIDs) {
-			return errors.New("all issues have to be added to a project first")
+			return ErrIssueNotInProject
 		}

 		issues, err := issues_model.GetIssuesByIDs(ctx, issueIDs)
@@ -63,7 +67,6 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 			if err != nil {
 				return err
 			}
-
 			projectColumnID := projectColumnMap[column.ProjectID]

 			if projectColumnID != column.ID {
@@ -82,16 +85,7 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 				}
 			}

-			// Update the column and sorting for this specific issue in this specific project.
-			// IMPORTANT: The WHERE clause must include both issue_id AND project_id to ensure
-			// that moving an issue's column in one project doesn't affect its column in other
-			// projects when the issue is assigned to multiple projects.
-			_, err = db.GetEngine(ctx).Table("project_issue").
-				Where("issue_id = ? AND project_id = ?", issueID, column.ProjectID).
-				Update(map[string]any{
-					"project_board_id": column.ID,
-					"sorting":          sorting,
-				})
+			_, err = db.Exec(ctx, "UPDATE `project_issue` SET project_board_id=?, sorting=? WHERE issue_id=?", column.ID, sorting, issueID)
 			if err != nil {
 				return err
 			}
@@ -129,7 +123,7 @@ func LoadIssuesAssigneesForProject(ctx context.Context, issuesMap map[int64]issu
 func LoadIssuesFromProject(ctx context.Context, project *project_model.Project, opts *issues_model.IssuesOptions) (results map[int64]issues_model.IssueList, _ error) {
 	issueList, err := issues_model.Issues(ctx, opts.Copy(func(o *issues_model.IssuesOptions) {
 		o.ProjectIDs = []int64{project.ID}
-		o.SortType = "project-column-sorting"
+		o.SortType = issues_model.SortTypeProjectColumnSorting
 	}))
 	if err != nil {
 		return nil, err
@@ -0,0 +1,44 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	project_model "code.gitea.io/gitea/models/project"
+	"code.gitea.io/gitea/modules/optional"
+)
+
+// UpdateProjectOptions represents updatable project fields. Fields with no value are left unchanged.
+type UpdateProjectOptions struct {
+	Title       optional.Option[string]
+	Description optional.Option[string]
+	CardType    optional.Option[project_model.CardType]
+	IsClosed    optional.Option[bool]
+}
+
+// UpdateProject applies the provided options to the project atomically.
+func UpdateProject(ctx context.Context, project *project_model.Project, opts UpdateProjectOptions) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if opts.Title.Has() {
+			project.Title = opts.Title.Value()
+		}
+		if opts.Description.Has() {
+			project.Description = opts.Description.Value()
+		}
+		if opts.CardType.Has() {
+			project.CardType = opts.CardType.Value()
+		}
+		if err := project_model.UpdateProject(ctx, project); err != nil {
+			return err
+		}
+		if opts.IsClosed.Has() && opts.IsClosed.Value() != project.IsClosed {
+			if err := project_model.ChangeProjectStatus(ctx, project, opts.IsClosed.Value()); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
@@ -0,0 +1,704 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	issues_model "code.gitea.io/gitea/models/issues"
+	project_model "code.gitea.io/gitea/models/project"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	api "code.gitea.io/gitea/modules/structs"
+	projects_service "code.gitea.io/gitea/services/projects"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIProjects(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	t.Run("ListProjects", testAPIListProjects)
+	t.Run("GetProject", testAPIGetProject)
+	t.Run("CreateProject", testAPICreateProject)
+	t.Run("UpdateProject", testAPIUpdateProject)
+	t.Run("ChangeProjectStatus", testAPIChangeProjectStatus)
+	t.Run("DeleteProject", testAPIDeleteProject)
+	t.Run("ListProjectColumns", testAPIListProjectColumns)
+	t.Run("CreateProjectColumn", testAPICreateProjectColumn)
+	t.Run("UpdateProjectColumn", testAPIUpdateProjectColumn)
+	t.Run("DeleteProjectColumn", testAPIDeleteProjectColumn)
+	t.Run("AddIssueToProjectColumn", testAPIAddIssueToProjectColumn)
+	t.Run("RemoveIssueFromProjectColumn", testAPIRemoveIssueFromProjectColumn)
+	t.Run("ListProjectColumnIssues", testAPIListProjectColumnIssues)
+	t.Run("Permissions", testAPIProjectPermissions)
+}
+
+func testAPIListProjects(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test listing all projects
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var projects []*api.Project
+	DecodeJSON(t, resp, &projects)
+
+	// Test state filter - open
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?state=open", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &projects)
+	for _, project := range projects {
+		assert.Equal(t, api.StateOpen, project.State, "Project should be open")
+	}
+
+	// Test state filter - all
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?state=all", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &projects)
+
+	// Test pagination
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?page=1&limit=5", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusOK)
+}
+
+func testAPIGetProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Test Project for API",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test getting the project
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var apiProject api.Project
+	DecodeJSON(t, resp, &apiProject)
+	assert.Equal(t, project.Title, apiProject.Title)
+	assert.Equal(t, project.ID, apiProject.ID)
+	assert.Equal(t, repo.ID, apiProject.RepoID)
+	assert.NotEmpty(t, apiProject.HTMLURL)
+
+	// Test getting non-existent project
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/99999", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPICreateProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test creating a project
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title:        "API Created Project",
+		Description:  "This is a test project created via API",
+		TemplateType: "basic_kanban",
+		CardType:     "images_and_text",
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusCreated)
+
+	var project api.Project
+	DecodeJSON(t, resp, &project)
+	assert.Equal(t, "API Created Project", project.Title)
+	assert.Equal(t, "This is a test project created via API", project.Description)
+	assert.Equal(t, "basic_kanban", project.TemplateType)
+	assert.Equal(t, "images_and_text", project.CardType)
+	assert.Equal(t, api.StateOpen, project.State)
+
+	// Test creating with minimal data
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "Minimal Project",
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusCreated)
+
+	var minimalProject api.Project
+	DecodeJSON(t, resp, &minimalProject)
+	assert.Equal(t, "Minimal Project", minimalProject.Title)
+
+	// Test creating without authentication
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "Unauthorized Project",
+	})
+	MakeRequest(t, req, http.StatusUnauthorized)
+
+	// Test creating with invalid data (empty title)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+}
+
+func testAPIUpdateProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project to Update",
+		Description:  "Original description",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test updating project title and description
+	newTitle := "Updated Project Title"
+	newDesc := "Updated description"
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title:       &newTitle,
+		Description: &newDesc,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedProject api.Project
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, newTitle, updatedProject.Title)
+	assert.Equal(t, newDesc, updatedProject.Description)
+
+	// Test updating non-existent project
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/99999", owner.Name, repo.Name), &api.EditProjectOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIChangeProjectStatus(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	project := &project_model.Project{
+		Title:        "Project to Close",
+		Description:  "Project to close and reopen",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	closed := api.StateClosed
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &closed,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedProject api.Project
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, api.StateClosed, updatedProject.State)
+	assert.NotNil(t, updatedProject.ClosedAt)
+
+	open := api.StateOpen
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &open,
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, api.StateOpen, updatedProject.State)
+
+	bogus := api.StateType("reopen")
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &bogus,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+}
+
+func testAPIDeleteProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project to Delete",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test deleting the project
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	// Test deleting non-existent project (including the one we just deleted)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIListProjectColumns(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project for Columns Test",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	// Create test columns
+	for i := 1; i <= 3; i++ {
+		column := &project_model.Column{
+			Title:     fmt.Sprintf("Column %d", i),
+			ProjectID: project.ID,
+			CreatorID: owner.ID,
+		}
+		err = project_model.NewColumn(t.Context(), column)
+		assert.NoError(t, err)
+	}
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test listing all columns — X-Total-Count must equal 3
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var columns []*api.ProjectColumn
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 3)
+	assert.Equal(t, "Column 1", columns[0].Title)
+	assert.Equal(t, "Column 2", columns[1].Title)
+	assert.Equal(t, "Column 3", columns[2].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test pagination: page 1 with limit 2 returns first 2 columns, total count still 3
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns?page=1&limit=2", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 2)
+	assert.Equal(t, "Column 1", columns[0].Title)
+	assert.Equal(t, "Column 2", columns[1].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test pagination: page 2 with limit 2 returns remaining column
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns?page=2&limit=2", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 1)
+	assert.Equal(t, "Column 3", columns[0].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test listing columns for non-existent project
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/99999/columns", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPICreateProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project for Column Creation",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test creating a column with color
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "New Column",
+		Color: "#FF5733",
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusCreated)
+
+	var column api.ProjectColumn
+	DecodeJSON(t, resp, &column)
+	assert.Equal(t, "New Column", column.Title)
+	assert.Equal(t, "#FF5733", column.Color)
+	assert.Equal(t, project.ID, column.ProjectID)
+
+	// Test creating a column without color
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "Simple Column",
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusCreated)
+
+	DecodeJSON(t, resp, &column)
+	assert.Equal(t, "Simple Column", column.Title)
+
+	// Test creating with empty title
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+
+	// Test creating for non-existent project
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/99999/columns", owner.Name, repo.Name), &api.CreateProjectColumnOption{
+		Title: "Orphan Column",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIUpdateProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Column Update",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	column := &project_model.Column{
+		Title:     "Original Column",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+		Color:     "#000000",
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test updating column title
+	newTitle := "Updated Column"
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID), &api.EditProjectColumnOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedColumn api.ProjectColumn
+	DecodeJSON(t, resp, &updatedColumn)
+	assert.Equal(t, newTitle, updatedColumn.Title)
+
+	// Test updating column color
+	newColor := "#FF0000"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID), &api.EditProjectColumnOption{
+		Color: &newColor,
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &updatedColumn)
+	assert.Equal(t, newColor, updatedColumn.Color)
+
+	// Test updating non-existent column
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/99999", owner.Name, repo.Name, project.ID), &api.EditProjectColumnOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIDeleteProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Column Deletion",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	column := &project_model.Column{
+		Title:     "Column to Delete",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test deleting the column
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	// Test deleting non-existent column (including the one we just deleted)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIAddIssueToProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: repo.ID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Issue Assignment",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	column1 := &project_model.Column{
+		Title:     "Column 1",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column1)
+	assert.NoError(t, err)
+
+	column2 := &project_model.Column{
+		Title:     "Column 2",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column2)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test adding issue to column
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column1.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Verify issue is in the column
+	projectIssue := unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+	assert.Equal(t, column1.ID, projectIssue.ProjectColumnID)
+
+	// Test moving issue to another column
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column2.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Verify issue moved to new column
+	projectIssue = unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+	assert.Equal(t, column2.ID, projectIssue.ProjectColumnID)
+
+	// Test adding same issue to same column (should be idempotent)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column2.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Test adding non-existent issue
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column1.ID, 99999), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+
+	// Test adding to non-existent column
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/99999/issues/%d", owner.Name, repo.Name, project.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIListProjectColumnIssues(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issueA := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
+	issueB := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
+
+	project := &project_model.Project{
+		Title:        "Project for Column Issues",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	columnA := &project_model.Column{
+		Title:     "Column A",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), columnA)
+	assert.NoError(t, err)
+
+	columnB := &project_model.Column{
+		Title:     "Column B",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), columnB)
+	assert.NoError(t, err)
+
+	// Place issueA in columnA, issueB in columnB.
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), issueA, owner, []int64{project.ID})
+	assert.NoError(t, err)
+	err = projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, columnA, map[int64]int64{0: issueA.ID})
+	assert.NoError(t, err)
+
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), issueB, owner, []int64{project.ID})
+	assert.NoError(t, err)
+	err = projects_service.MoveIssuesOnProjectColumn(t.Context(), owner, columnB, map[int64]int64{0: issueB.ID})
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Column A should contain only issueA.
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns/%d/issues", owner.Name, repo.Name, project.ID, columnA.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+	var issuesA []api.Issue
+	DecodeJSON(t, resp, &issuesA)
+	assert.Len(t, issuesA, 1)
+	assert.Equal(t, issueA.ID, issuesA[0].ID)
+
+	// Column B should contain only issueB.
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns/%d/issues", owner.Name, repo.Name, project.ID, columnB.ID).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	var issuesB []api.Issue
+	DecodeJSON(t, resp, &issuesB)
+	assert.Len(t, issuesB, 1)
+	assert.Equal(t, issueB.ID, issuesB[0].ID)
+}
+
+func testAPIRemoveIssueFromProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: repo.ID})
+
+	project := &project_model.Project{
+		Title:        "Project for Issue Removal",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	column := &project_model.Column{
+		Title:     "Column for Issue Removal",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	otherColumn := &project_model.Column{
+		Title:     "Other Column",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), otherColumn)
+	assert.NoError(t, err)
+
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), issue, owner, []int64{project.ID})
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Removing via a column the issue does not live in must 404 and not detach the issue
+	req := NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, otherColumn.ID, issue.ID), nil).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+	unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+
+	req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column.ID, issue.ID), nil).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	unittest.AssertNotExistsBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+}
+
+func testAPIProjectPermissions(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	nonCollaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user5"})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Permission Test Project",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	ownerToken := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+	nonCollaboratorToken := getUserToken(t, nonCollaborator.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Owner should be able to read
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(ownerToken)
+	MakeRequest(t, req, http.StatusOK)
+
+	// Owner should be able to update
+	newTitle := "Updated by Owner"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title: &newTitle,
+	}).AddTokenAuth(ownerToken)
+	MakeRequest(t, req, http.StatusOK)
+
+	// Non-collaborator should not be able to update
+	anotherTitle := "Updated by Non-collaborator"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title: &anotherTitle,
+	}).AddTokenAuth(nonCollaboratorToken)
+	MakeRequest(t, req, http.StatusForbidden)
+
+	// Non-collaborator should not be able to delete
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(nonCollaboratorToken)
+	MakeRequest(t, req, http.StatusForbidden)
+}
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"

+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	project_model "code.gitea.io/gitea/models/project"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -60,7 +61,7 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 		assert.NoError(t, err)
 	}

-	columns, err := project1.GetColumns(t.Context())
+	columns, err := project_model.GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)
 	assert.EqualValues(t, 0, columns[0].Sorting)
@@ -80,7 +81,7 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 	})
 	sess.MakeRequest(t, req, http.StatusOK)

-	columnsAfter, err := project1.GetColumns(t.Context())
+	columnsAfter, err := project_model.GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columnsAfter, 3)
 	assert.Equal(t, columns[1].ID, columnsAfter[0].ID)
@@ -90,26 +91,6 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 	assert.NoError(t, project_model.DeleteProjectByID(t.Context(), project1.ID))
 }

-func TestUpdateIssueProject(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
-
-	sess := loginUser(t, "user2")
-
-	t.Run("AssignAndRemove", func(t *testing.T) {
-		req := NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=2", map[string]string{
-			"id": "1",
-		})
-		sess.MakeRequest(t, req, http.StatusOK)
-		unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{IssueID: 2, ProjectID: 1})
-
-		req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=2", map[string]string{
-			"id": "",
-		})
-		sess.MakeRequest(t, req, http.StatusOK)
-		unittest.AssertNotExistsBean(t, &project_model.ProjectIssue{IssueID: 2, ProjectID: 1})
-	})
-}
-
 func TestUpdateIssueProjectColumn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()

@@ -158,7 +139,7 @@ func TestUpdateIssueProjectColumn(t *testing.T) {
 			Title:     "other column",
 			ProjectID: project2.ID,
 		}))
-		columns, err := project2.GetColumns(t.Context())
+		columns, err := project_model.GetProjectColumns(t.Context(), project2.ID, db.ListOptionsAll)
 		require.NoError(t, err)
 		require.NotEmpty(t, columns)

@@ -180,13 +161,13 @@ func TestIssueSidebarProjectColumn(t *testing.T) {
 	resp := sess.MakeRequest(t, req, http.StatusOK)
 	htmlDoc := NewHTMLParser(t, resp.Body)

-	cards := htmlDoc.Find(".flex-relaxed-list > .item.sidebar-project-card")
+	cards := htmlDoc.Find(".sidebar-project-card")
 	assert.Equal(t, 1, cards.Length())

-	title := cards.Find("a span.gt-ellipsis")
+	title := cards.Find(".sidebar-project-card a.suppressed .gt-ellipsis")
 	assert.Contains(t, strings.TrimSpace(title.Text()), "First project")

-	columnCombo := cards.Find(".issue-sidebar-combo.sidebar-project-column-combo")
+	columnCombo := cards.Find(".sidebar-project-column-combo")
 	assert.Equal(t, 1, columnCombo.Length())

 	defaultItem := columnCombo.Find(`.menu .item[data-value="1"]`)
@@ -201,14 +182,16 @@ func TestIssueSidebarProjectColumn(t *testing.T) {
 	assert.True(t, exists)
 	assert.Equal(t, "3", comboVal)

-	req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=5", map[string]string{"id": ""})
+	req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=5", map[string]string{
+		"id": "0",
+	})
 	sess.MakeRequest(t, req, http.StatusOK)

 	req = NewRequest(t, "GET", "/user2/repo1/issues/4")
 	resp = sess.MakeRequest(t, req, http.StatusOK)
 	htmlDoc = NewHTMLParser(t, resp.Body)

-	cards = htmlDoc.Find(".flex-relaxed-list > .item.sidebar-project-card")
+	cards = htmlDoc.Find(".sidebar-project-card")
 	assert.Equal(t, 0, cards.Length())
 }

@@ -311,6 +294,11 @@ func TestOrgProjectFilterByMilestone(t *testing.T) {
 	}
 	require.NoError(t, project_model.NewProject(t.Context(), &project))

+	// Get the default column
+	columns, err := project_model.GetProjectColumns(t.Context(), project.ID, db.ListOptionsAll)
+	require.NoError(t, err)
+	require.NotEmpty(t, columns)
+
 	// Add issues to the project
 	require.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue16, user1, []int64{project.ID}))
 	require.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue17, user1, []int64{project.ID}))
Author	SHA1	Message	Date
Oleks	235248620e	fix(api): filter list-column-issues by project_board_id release-tag-version / binary (push) Cancelled after 0s release-tag-version / container (push) Cancelled after 0s ListProjectColumnIssues was returning every issue in the project regardless of which column was requested. The handler set ProjectIDs but had no way to constrain to a specific column, and applyProjectCondition only joined project_issue on project_id. Add IssuesOptions.ProjectColumnID and extend the single-project branch of applyProjectCondition to include project_board_id in the JOIN when set. Strengthen the integration test: previously it placed two issues in the project (default column) and asserted a column listing returned 2, which masked the bug. Now create two distinct columns, move one issue into each, and verify each column's listing returns exactly the issue it owns. Reported during e2e validation on git.oleks.space against the production fork (1.26.0-unstable-2026-05-11). Worth back-porting to upstream PR #37518.	2026-05-12 16:12:42 +03:00
Oleks	20f31b8967	chore(ddev): add build-gitea-frontend command release-tag-version / binary (push) Cancelled after 0s release-tag-version / container (push) Cancelled after 0s `make backend` embeds public/ via go:embed at compile time, so any frontend asset change requires: ddev build-gitea-frontend # vite into public/assets/ ddev build-gitea # re-embed public/ into the binary ddev restart # pick up new binary	2026-05-11 17:14:35 +03:00
Oleks	fdfff3cc0b	chore(ddev): local dev environment for testing the Projects API `ddev start` provisions: - web container: Debian + Go 1.26.3 + node 24, builds gitea via `ddev build-gitea` - db: postgres 17 - router: https://gitea.ddev.site → gitea on container port 3000 First-run steps: ddev start ddev build-gitea ddev restart ddev exec './gitea --config .ddev/gitea/app.ini admin user create \ --admin --username ddev --password ddev1234567890 \ --email ddev@example.com --must-change-password=false' .ddev/.gitignore uses a whitelist: only the 6 files we authored are tracked; DDEV's generated content (compose files, provider templates, snapshots, gocache, gitea runtime data) is ignored.	2026-05-11 16:57:08 +03:00
Oleks	eb5c55d07f	style: auto-format from pre-push hooks	2026-05-11 15:58:32 +03:00
Oleks	9d41d1abc4	chore(devshell): add `test` shell without static glibc The default shell links cgo statically against glibc.static for the production gitea binary. Test binaries built in that shell segfault inside cgo NSS calls (getaddrinfo/getpwuid_r) because the static glibc NSS modules need matching dynamic libs at runtime. Split the shell: - `nix develop` -> production build shell (static, unchanged) - `nix develop .#test` -> test/dev shell, no static glibc Verified: TestAPIProjects passes in the `test` shell.	2026-05-11 15:58:29 +03:00
Oleks	025ce0a8e0	chore(devshell): add golangci-lint, govulncheck, and tea to nix shell	2026-05-11 15:53:17 +03:00
Oleks	8db18ad9f6	feat(api): add REST API for repository project boards Cherry-pick of upstream PR go-gitea/gitea#37518 onto feat/projects-api. The PR is itself a rebase of #36831 onto main, adapted for the multi-projects-per-issue model added in #36784. Endpoints (all under /repos/{owner}/{repo}/projects...): GET . list projects POST . create project GET /{id} get project PATCH /{id} update project DELETE /{id} delete project GET /{id}/columns list columns POST /{id}/columns create column PATCH /columns/{id} update column DELETE /columns/{id} delete column GET /columns/{id}/issues list issues in column POST /columns/{id}/issues/{issue_id} add/move issue to column DELETE /columns/{id}/issues/{issue_id} remove issue from column POST /columns/{id}/issues/{issue_id}/move move between columns Source: https://github.com/go-gitea/gitea/pull/37518	2026-05-11 15:41:15 +03:00