Merge ae9fff3d3fbb1eac70e2fa0f14f6caf27b784eb5 into 0a3aaeafe7bef9d6935422f4b91c77c216c01b21

models/issues/issue_search.go

@@ -22,7 +22,11 @@ import (
 	"xorm.io/xorm"
 )
 
-const ScopeSortPrefix = "scope-"
+const (
+	ScopeSortPrefix = "scope-"
+	// SortTypeProjectColumnSorting orders issues within a project column by their project_issue.sorting value.
+	SortTypeProjectColumnSorting = "project-column-sorting"
+)
 
 // IssuesOptions represents options of an issue.
 type IssuesOptions struct { //nolint:revive // export stutter
@@ -122,7 +126,7 @@ func applySorts(sess *xorm.Session, sortType string, priorityRepoID int64) {
 			"ELSE 2 END ASC", priorityRepoID).
 			Desc("issue.created_unix").
 			Desc("issue.id")
-	case "project-column-sorting":
+	case SortTypeProjectColumnSorting:
 		sess.Asc("project_issue.sorting").Desc("issue.created_unix").Desc("issue.id")
 	default:
 		sess.Desc("issue.created_unix").Desc("issue.id")

models/project/column.go

@@ -337,20 +337,6 @@ func SetDefaultColumn(ctx context.Context, projectID, columnID int64) error {
 	})
 }
 
-func GetColumnsByIDs(ctx context.Context, projectID int64, columnsIDs []int64) (ColumnList, error) {
-	columns := make([]*Column, 0, 5)
-	if len(columnsIDs) == 0 {
-		return columns, nil
-	}
-	if err := db.GetEngine(ctx).
-		Where("project_id =?", projectID).
-		In("id", columnsIDs).
-		OrderBy("sorting").Find(&columns); err != nil {
-		return nil, err
-	}
-	return columns, nil
-}
-
 // MoveColumnsOnProject sorts columns in a project
 func MoveColumnsOnProject(ctx context.Context, project *Project, sortedColumnIDs map[int64]int64) error {
 	return db.WithTx(ctx, func(ctx context.Context) error {

models/project/column_list.go

@@ -0,0 +1,42 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+)
+
+// CountProjectColumns returns the total number of columns for a project
+func CountProjectColumns(ctx context.Context, projectID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("project_id=?", projectID).Count(&Column{})
+}
+
+// GetProjectColumns returns a list of columns for a project with pagination
+func GetProjectColumns(ctx context.Context, projectID int64, opts db.ListOptions) (ColumnList, error) {
+	columns := make([]*Column, 0, opts.PageSize)
+	s := db.GetEngine(ctx).Where("project_id=?", projectID).OrderBy("sorting, id")
+	if !opts.IsListAll() {
+		db.SetSessionPagination(s, &opts)
+	}
+	if err := s.Find(&columns); err != nil {
+		return nil, err
+	}
+	return columns, nil
+}
+
+func GetColumnsByIDs(ctx context.Context, projectID int64, columnsIDs []int64) (ColumnList, error) {
+	columns := make([]*Column, 0, len(columnsIDs))
+	if len(columnsIDs) == 0 {
+		return columns, nil
+	}
+	if err := db.GetEngine(ctx).
+		Where("project_id =?", projectID).
+		In("id", columnsIDs).
+		OrderBy("sorting").Find(&columns); err != nil {
+		return nil, err
+	}
+	return columns, nil
+}

models/project/column_list_test.go

@@ -0,0 +1,66 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/models/db"
+	"code.gitea.io/gitea/models/unittest"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestProjectColumns(t *testing.T) {
+	assert.NoError(t, unittest.PrepareTestDatabase())
+	t.Run("CountProjectColumns", testCountProjectColumns)
+	t.Run("GetProjectColumns", testGetProjectColumns)
+	t.Run("GetColumnsByIDs", testGetColumnsByIDs)
+}
+
+func testCountProjectColumns(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	count, err := CountProjectColumns(t.Context(), project.ID)
+	assert.NoError(t, err)
+	assert.EqualValues(t, 3, count)
+}
+
+func testGetProjectColumns(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	// Page 1, limit 2 — returns first 2 columns
+	page1, err := GetProjectColumns(t.Context(), project.ID, db.ListOptions{Page: 1, PageSize: 2})
+	assert.NoError(t, err)
+	assert.Len(t, page1, 2)
+
+	// Page 2, limit 2 — returns remaining column
+	page2, err := GetProjectColumns(t.Context(), project.ID, db.ListOptions{Page: 2, PageSize: 2})
+	assert.NoError(t, err)
+	assert.Len(t, page2, 1)
+
+	// Page 1 and page 2 together cover all columns with no overlap
+	allIDs := make(map[int64]bool)
+	for _, c := range append(page1, page2...) {
+		assert.False(t, allIDs[c.ID], "duplicate column ID %d across pages", c.ID)
+		allIDs[c.ID] = true
+	}
+	assert.Len(t, allIDs, 3)
+}
+
+func testGetColumnsByIDs(t *testing.T) {
+	project, err := GetProjectByID(t.Context(), 1)
+	assert.NoError(t, err)
+
+	columns, err := GetColumnsByIDs(t.Context(), project.ID, []int64{1, 3, 4})
+	assert.NoError(t, err)
+	assert.Len(t, columns, 2)
+	assert.ElementsMatch(t, []int64{1, 3}, []int64{columns[0].ID, columns[1].ID})
+
+	empty, err := GetColumnsByIDs(t.Context(), project.ID, nil)
+	assert.NoError(t, err)
+	assert.Empty(t, empty)
+}

models/project/column_test.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"testing"
 
+	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/unittest"
 
 	"github.com/stretchr/testify/assert"
@@ -79,7 +80,7 @@ func Test_MoveColumnsOnProject(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
 	project1 := unittest.AssertExistsAndLoadBean(t, &Project{ID: 1})
-	columns, err := project1.GetColumns(t.Context())
+	columns, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)
 	assert.EqualValues(t, 0, columns[0].Sorting) // even if there is no default sorting, the code should also work
@@ -93,7 +94,7 @@ func Test_MoveColumnsOnProject(t *testing.T) {
 	})
 	assert.NoError(t, err)
 
-	columnsAfter, err := project1.GetColumns(t.Context())
+	columnsAfter, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columnsAfter, 3)
 	assert.Equal(t, columns[1].ID, columnsAfter[0].ID)
@@ -105,7 +106,7 @@ func Test_NewColumn(t *testing.T) {
 	assert.NoError(t, unittest.PrepareTestDatabase())
 
 	project1 := unittest.AssertExistsAndLoadBean(t, &Project{ID: 1})
-	columns, err := project1.GetColumns(t.Context())
+	columns, err := GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)
 

models/project/issue.go

@@ -33,6 +33,14 @@ func deleteProjectIssuesByProjectID(ctx context.Context, projectID int64) error
 	return err
 }
 
+func IsIssueInColumn(ctx context.Context, issueID, projectID, columnID int64) (bool, error) {
+	return db.GetEngine(ctx).Exist(&ProjectIssue{
+		IssueID:         issueID,
+		ProjectID:       projectID,
+		ProjectColumnID: columnID,
+	})
+}
+
 // GetColumnIssueNextSorting returns the sorting value to append an issue at the end of the column.
 func GetColumnIssueNextSorting(ctx context.Context, projectID, columnID int64) (int64, error) {
 	res := struct {
@@ -87,3 +95,19 @@ func DeleteAllProjectIssueByIssueIDsAndProjectIDs(ctx context.Context, issueIDs,
 	_, err := db.GetEngine(ctx).In("project_id", projectIDs).In("issue_id", issueIDs).Delete(&ProjectIssue{})
 	return err
 }
+
+// MoveIssueToColumn moves a single issue to a specific column within a project.
+func MoveIssueToColumn(ctx context.Context, issueID, projectID, columnID int64) error {
+	nextSorting, err := GetColumnIssueNextSorting(ctx, projectID, columnID)
+	if err != nil {
+		return err
+	}
+	_, err = db.GetEngine(ctx).
+		Where("issue_id=? AND project_id=?", issueID, projectID).
+		Cols("project_board_id", "sorting").
+		Update(&ProjectIssue{
+			ProjectColumnID: columnID,
+			Sorting:         nextSorting,
+		})
+	return err
+}

modules/indexer/issues/dboptions.go

@@ -97,7 +97,7 @@ func ToSearchOptions(keyword string, opts *issues_model.IssuesOptions) *SearchOp
 		searchOpt.SortBy = SortByDeadlineAsc
 	case "farduedate":
 		searchOpt.SortBy = SortByDeadlineDesc
-	case "priority", "priorityrepo", "project-column-sorting":
+	case "priority", "priorityrepo", issues_model.SortTypeProjectColumnSorting:
 		// Unsupported sort type for search
 		fallthrough
 	default:

modules/structs/project.go

@@ -7,27 +7,101 @@ import (
 	"time"
 )
 
-// Project represents a project
+// Project represents a project.
+//
+// Gitea projects can only contain issues — note cards and pull requests are
+// not modeled as project items.
+//
 // swagger:model
 type Project struct {
-	// ID is the unique identifier for the project
-	ID int64 `json:"id"`
-	// Title is the title of the project
-	Title string `json:"title"`
-	// Description provides details about the project
-	Description string `json:"description"`
-	// OwnerID is the owner of the project (for org-level projects)
-	OwnerID int64 `json:"owner_id,omitempty"`
-	// RepoID is the repository this project belongs to (for repo-level projects)
-	RepoID int64 `json:"repo_id,omitempty"`
-	// CreatorID is the user who created the project
-	CreatorID int64 `json:"creator_id"`
-	// IsClosed indicates if the project is closed
-	IsClosed bool `json:"is_closed"`
+	ID          int64     `json:"id"`
+	Title       string    `json:"title"`
+	Description string    `json:"description"`
+	OwnerID     int64     `json:"owner_id,omitempty"`
+	RepoID      int64     `json:"repo_id,omitempty"`
+	Creator     *User     `json:"creator,omitempty"`
+	State       StateType `json:"state"`
+	// Template type: "none", "basic_kanban" or "bug_triage"
+	TemplateType string `json:"template_type"`
+	// Card type: "text_only" or "images_and_text"
+	CardType string `json:"card_type"`
+	// Project type: "individual", "repository" or "organization"
+	Type            string `json:"type"`
+	NumOpenIssues   int64  `json:"num_open_issues,omitempty"`
+	NumClosedIssues int64  `json:"num_closed_issues,omitempty"`
+	NumIssues       int64  `json:"num_issues,omitempty"`
 	// swagger:strfmt date-time
-	Created time.Time `json:"created_at"`
+	CreatedAt time.Time `json:"created_at"`
 	// swagger:strfmt date-time
-	Updated time.Time `json:"updated_at"`
+	UpdatedAt time.Time `json:"updated_at"`
 	// swagger:strfmt date-time
-	Closed *time.Time `json:"closed_at,omitempty"`
+	ClosedAt *time.Time `json:"closed_at,omitempty"`
+	HTMLURL  string     `json:"html_url,omitempty"`
+}
+
+// CreateProjectOption represents options for creating a project
+// swagger:model
+type CreateProjectOption struct {
+	// required: true
+	Title       string `json:"title" binding:"Required"`
+	Description string `json:"description"`
+	// Template type: "none", "basic_kanban" or "bug_triage"
+	TemplateType string `json:"template_type"`
+	// Card type: "text_only" or "images_and_text"
+	CardType string `json:"card_type"`
+}
+
+// EditProjectOption represents options for editing a project
+// swagger:model
+type EditProjectOption struct {
+	Title       *string `json:"title,omitempty"`
+	Description *string `json:"description,omitempty"`
+	// Card type: "text_only" or "images_and_text"
+	CardType *string    `json:"card_type,omitempty"`
+	State    *StateType `json:"state,omitempty"`
+}
+
+// ProjectColumn represents a project column (board)
+// swagger:model
+type ProjectColumn struct {
+	ID        int64  `json:"id"`
+	Title     string `json:"title"`
+	Default   bool   `json:"default"`
+	Sorting   int    `json:"sorting"`
+	Color     string `json:"color,omitempty"`
+	ProjectID int64  `json:"project_id"`
+	Creator   *User  `json:"creator,omitempty"`
+	NumIssues int64  `json:"num_issues,omitempty"`
+	// swagger:strfmt date-time
+	CreatedAt time.Time `json:"created_at"`
+	// swagger:strfmt date-time
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+// CreateProjectColumnOption represents options for creating a project column
+// swagger:model
+type CreateProjectColumnOption struct {
+	// required: true
+	Title string `json:"title" binding:"Required"`
+	// Column color in 6-digit hex format, e.g. #FF0000
+	Color string `json:"color,omitempty"`
+}
+
+// EditProjectColumnOption represents options for editing a project column
+// swagger:model
+type EditProjectColumnOption struct {
+	Title *string `json:"title,omitempty"`
+	// Column color in 6-digit hex format, e.g. #FF0000
+	Color   *string `json:"color,omitempty"`
+	Sorting *int    `json:"sorting,omitempty"`
+}
+
+// MoveProjectIssueOption represents options for moving an issue between columns
+// swagger:model
+type MoveProjectIssueOption struct {
+	// Target column to move the issue into
+	// required: true
+	ColumnID int64 `json:"column_id" binding:"Required"`
+	// Optional sorting position within the target column
+	Sorting *int64 `json:"sorting,omitempty"`
 }

routers/api/v1/api.go

@@ -1575,6 +1575,26 @@ func Routes() *web.Router {
 						Patch(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), bind(api.EditMilestoneOption{}), repo.EditMilestone).
 						Delete(reqToken(), reqRepoWriter(unit.TypeIssues, unit.TypePullRequests), repo.DeleteMilestone)
 				})
+				m.Group("/projects", func() {
+					m.Combo("").Get(repo.ListProjects).
+						Post(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.CreateProjectOption{}), repo.CreateProject)
+					m.Group("/{id}", func() {
+						m.Combo("").Get(repo.GetProject).
+							Patch(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.EditProjectOption{}), repo.EditProject).
+							Delete(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.DeleteProject)
+						m.Combo("/columns").Get(repo.ListProjectColumns).
+							Post(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.CreateProjectColumnOption{}), repo.CreateProjectColumn)
+						m.Group("/columns/{column_id}", func() {
+							m.Combo("").
+								Patch(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.EditProjectColumnOption{}), repo.EditProjectColumn).
+								Delete(reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.DeleteProjectColumn)
+							m.Get("/issues", repo.ListProjectColumnIssues)
+							m.Post("/issues/{issue_id}", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.AddIssueToProjectColumn)
+							m.Delete("/issues/{issue_id}", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, repo.RemoveIssueFromProjectColumn)
+						})
+						m.Post("/issues/{issue_id}/move", reqToken(), reqRepoWriter(unit.TypeProjects), mustNotBeArchived, bind(api.MoveProjectIssueOption{}), repo.MoveProjectIssue)
+					})
+				}, reqRepoReader(unit.TypeProjects))
 			}, repoAssignment(), checkTokenPublicOnly())
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryIssue))
 

routers/api/v1/swagger/options.go

@@ -233,4 +233,17 @@ type swaggerParameterBodies struct {
 
 	// in:body
 	LockIssueOption api.LockIssueOption
+
+	// in:body
+	CreateProjectOption api.CreateProjectOption
+	// in:body
+	EditProjectOption api.EditProjectOption
+
+	// in:body
+	CreateProjectColumnOption api.CreateProjectColumnOption
+	// in:body
+	EditProjectColumnOption api.EditProjectColumnOption
+
+	// in:body
+	MoveProjectIssueOption api.MoveProjectIssueOption
 }

routers/api/v1/swagger/project.go

@@ -0,0 +1,36 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package swagger
+
+import (
+	api "code.gitea.io/gitea/modules/structs"
+)
+
+// Project
+// swagger:response Project
+type swaggerResponseProject struct {
+	// in:body
+	Body api.Project `json:"body"`
+}
+
+// ProjectList
+// swagger:response ProjectList
+type swaggerResponseProjectList struct {
+	// in:body
+	Body []api.Project `json:"body"`
+}
+
+// ProjectColumn
+// swagger:response ProjectColumn
+type swaggerResponseProjectColumn struct {
+	// in:body
+	Body api.ProjectColumn `json:"body"`
+}
+
+// ProjectColumnList
+// swagger:response ProjectColumnList
+type swaggerResponseProjectColumnList struct {
+	// in:body
+	Body []api.ProjectColumn `json:"body"`
+}

routers/web/org/projects.go

@@ -309,7 +309,7 @@ func ViewProject(ctx *context.Context) {
 		return
 	}
 
-	columns, err := project.GetColumns(ctx)
+	columns, err := project_model.GetProjectColumns(ctx, project.ID, db.ListOptionsAll)
 	if err != nil {
 		ctx.ServerError("GetProjectColumns", err)
 		return

routers/web/repo/projects.go

@@ -449,6 +449,14 @@ func UpdateIssueProject(ctx *context.Context) {
 	}
 
 	projectIDs := ctx.FormStringInt64s("id")
+	// Remove zero values - id=0 means "remove from all projects"
+	filteredIDs := make([]int64, 0, len(projectIDs))
+	for _, id := range projectIDs {
+		if id != 0 {
+			filteredIDs = append(filteredIDs, id)
+		}
+	}
+	projectIDs = filteredIDs
 	var failedIssues []int64
 	for _, issue := range issues {
 		if err := issues_model.IssueAssignOrRemoveProject(ctx, issue, ctx.Doer, projectIDs); err != nil {

services/convert/issue.go

@@ -99,7 +99,7 @@ func toIssue(ctx context.Context, doer *user_model.User, issue *issues_model.Iss
 		return &api.Issue{}
 	}
 	if len(issue.Projects) > 0 {
-		apiIssue.Projects = ToAPIProjectList(issue.Projects)
+		apiIssue.Projects = ToProjectList(ctx, issue.Projects, doer)
 	}
 
 	if err := issue.LoadAssignees(ctx); err != nil {

services/convert/project.go

@@ -4,34 +4,179 @@
 package convert
 
 import (
+	"context"
+	"fmt"
+
 	project_model "code.gitea.io/gitea/models/project"
+	user_model "code.gitea.io/gitea/models/user"
+	"code.gitea.io/gitea/modules/container"
 	api "code.gitea.io/gitea/modules/structs"
 )
 
-// ToAPIProject converts a Project to API format
-func ToAPIProject(p *project_model.Project) *api.Project {
-	apiProject := &api.Project{
-		ID:          p.ID,
-		Title:       p.Title,
-		Description: p.Description,
-		OwnerID:     p.OwnerID,
-		RepoID:      p.RepoID,
-		CreatorID:   p.CreatorID,
-		IsClosed:    p.IsClosed,
-		Created:     p.CreatedUnix.AsTime(),
-		Updated:     p.UpdatedUnix.AsTime(),
+func ProjectTemplateTypeToString(t project_model.TemplateType) string {
+	switch t {
+	case project_model.TemplateTypeBasicKanban:
+		return "basic_kanban"
+	case project_model.TemplateTypeBugTriage:
+		return "bug_triage"
+	default:
+		return "none"
 	}
-	if p.IsClosed && p.ClosedDateUnix > 0 {
-		apiProject.Closed = p.ClosedDateUnix.AsTimePtr()
-	}
-	return apiProject
 }
 
-// ToAPIProjectList converts a list of Projects to API format
-func ToAPIProjectList(projects []*project_model.Project) []*api.Project {
+func ProjectTemplateTypeFromString(s string) (project_model.TemplateType, error) {
+	switch s {
+	case "", "none":
+		return project_model.TemplateTypeNone, nil
+	case "basic_kanban":
+		return project_model.TemplateTypeBasicKanban, nil
+	case "bug_triage":
+		return project_model.TemplateTypeBugTriage, nil
+	default:
+		return 0, fmt.Errorf("invalid template_type %q (expected none, basic_kanban, bug_triage)", s)
+	}
+}
+
+func ProjectCardTypeToString(t project_model.CardType) string {
+	switch t {
+	case project_model.CardTypeImagesAndText:
+		return "images_and_text"
+	default:
+		return "text_only"
+	}
+}
+
+func ProjectCardTypeFromString(s string) (project_model.CardType, error) {
+	switch s {
+	case "", "text_only":
+		return project_model.CardTypeTextOnly, nil
+	case "images_and_text":
+		return project_model.CardTypeImagesAndText, nil
+	default:
+		return 0, fmt.Errorf("invalid card_type %q (expected text_only, images_and_text)", s)
+	}
+}
+
+func ProjectTypeToString(t project_model.Type) string {
+	switch t {
+	case project_model.TypeIndividual:
+		return "individual"
+	case project_model.TypeRepository:
+		return "repository"
+	case project_model.TypeOrganization:
+		return "organization"
+	default:
+		return ""
+	}
+}
+
+// loadProjectCreators batch-fetches creators for the given projects + columns and
+// returns a map keyed by user ID. Errors are surfaced; missing users are silently
+// skipped (their creator field stays nil), matching the convention of other list
+// converters that tolerate deleted users.
+func loadProjectCreators(ctx context.Context, projects []*project_model.Project, columns []*project_model.Column) (map[int64]*user_model.User, error) {
+	idSet := container.Set[int64]{}
+	for _, p := range projects {
+		if p.CreatorID > 0 {
+			idSet.Add(p.CreatorID)
+		}
+	}
+	for _, c := range columns {
+		if c.CreatorID > 0 {
+			idSet.Add(c.CreatorID)
+		}
+	}
+	if len(idSet) == 0 {
+		return map[int64]*user_model.User{}, nil
+	}
+	return user_model.GetUsersMapByIDs(ctx, idSet.Values())
+}
+
+// ToProject converts a project_model.Project to api.Project.
+// Caller is expected to preload p.Repo / p.Owner to avoid N+1 lookups.
+func ToProject(ctx context.Context, p *project_model.Project, doer *user_model.User) *api.Project {
+	creators, _ := loadProjectCreators(ctx, []*project_model.Project{p}, nil)
+	return toProject(ctx, p, doer, creators)
+}
+
+func toProject(ctx context.Context, p *project_model.Project, doer *user_model.User, creators map[int64]*user_model.User) *api.Project {
+	state := api.StateOpen
+	if p.IsClosed {
+		state = api.StateClosed
+	}
+
+	project := &api.Project{
+		ID:              p.ID,
+		Title:           p.Title,
+		Description:     p.Description,
+		OwnerID:         p.OwnerID,
+		RepoID:          p.RepoID,
+		State:           state,
+		TemplateType:    ProjectTemplateTypeToString(p.TemplateType),
+		CardType:        ProjectCardTypeToString(p.CardType),
+		Type:            ProjectTypeToString(p.Type),
+		NumOpenIssues:   p.NumOpenIssues,
+		NumClosedIssues: p.NumClosedIssues,
+		NumIssues:       p.NumIssues,
+		CreatedAt:       p.CreatedUnix.AsTime(),
+		UpdatedAt:       p.UpdatedUnix.AsTime(),
+	}
+
+	if p.ClosedDateUnix > 0 {
+		t := p.ClosedDateUnix.AsTime()
+		project.ClosedAt = &t
+	}
+
+	if creator, ok := creators[p.CreatorID]; ok {
+		project.Creator = ToUser(ctx, creator, doer)
+	}
+
+	if p.Type == project_model.TypeRepository && p.Repo != nil {
+		project.HTMLURL = p.Repo.HTMLURL() + fmt.Sprintf("/projects/%d", p.ID)
+	} else if p.Owner != nil {
+		project.HTMLURL = p.Owner.HTMLURL(ctx) + fmt.Sprintf("/-/projects/%d", p.ID)
+	}
+
+	return project
+}
+
+func ToProjectColumn(ctx context.Context, column *project_model.Column, doer *user_model.User) *api.ProjectColumn {
+	creators, _ := loadProjectCreators(ctx, nil, []*project_model.Column{column})
+	return toProjectColumn(ctx, column, doer, creators)
+}
+
+func toProjectColumn(ctx context.Context, column *project_model.Column, doer *user_model.User, creators map[int64]*user_model.User) *api.ProjectColumn {
+	apiColumn := &api.ProjectColumn{
+		ID:        column.ID,
+		Title:     column.Title,
+		Default:   column.Default,
+		Sorting:   int(column.Sorting),
+		Color:     column.Color,
+		ProjectID: column.ProjectID,
+		NumIssues: column.NumIssues,
+		CreatedAt: column.CreatedUnix.AsTime(),
+		UpdatedAt: column.UpdatedUnix.AsTime(),
+	}
+	if creator, ok := creators[column.CreatorID]; ok {
+		apiColumn.Creator = ToUser(ctx, creator, doer)
+	}
+	return apiColumn
+}
+
+func ToProjectList(ctx context.Context, projects []*project_model.Project, doer *user_model.User) []*api.Project {
+	creators, _ := loadProjectCreators(ctx, projects, nil)
 	result := make([]*api.Project, len(projects))
-	for i := range projects {
-		result[i] = ToAPIProject(projects[i])
+	for i, p := range projects {
+		result[i] = toProject(ctx, p, doer, creators)
+	}
+	return result
+}
+
+func ToProjectColumnList(ctx context.Context, columns []*project_model.Column, doer *user_model.User) []*api.ProjectColumn {
+	creators, _ := loadProjectCreators(ctx, nil, columns)
+	result := make([]*api.ProjectColumn, len(columns))
+	for i, column := range columns {
+		result[i] = toProjectColumn(ctx, column, doer, creators)
 	}
 	return result
 }

services/projects/issue.go

@@ -17,6 +17,10 @@ import (
 	"code.gitea.io/gitea/modules/optional"
 )
 
+// ErrIssueNotInProject is returned when MoveIssuesOnProjectColumn is asked to move
+// issues that aren't yet attached to the column's project.
+var ErrIssueNotInProject = errors.New("all issues have to be added to a project first")
+
 // MoveIssuesOnProjectColumn moves or keeps issues in a column and sorts them inside that column
 func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, column *project_model.Column, sortedIssueIDs map[int64]int64) error {
 	return db.WithTx(ctx, func(ctx context.Context) error {
@@ -32,7 +36,7 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 			return err
 		}
 		if int(count) != len(sortedIssueIDs) {
-			return errors.New("all issues have to be added to a project first")
+			return ErrIssueNotInProject
 		}
 
 		issues, err := issues_model.GetIssuesByIDs(ctx, issueIDs)
@@ -63,7 +67,6 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 			if err != nil {
 				return err
 			}
-
 			projectColumnID := projectColumnMap[column.ProjectID]
 
 			if projectColumnID != column.ID {
@@ -82,16 +85,7 @@ func MoveIssuesOnProjectColumn(ctx context.Context, doer *user_model.User, colum
 				}
 			}
 
-			// Update the column and sorting for this specific issue in this specific project.
-			// IMPORTANT: The WHERE clause must include both issue_id AND project_id to ensure
-			// that moving an issue's column in one project doesn't affect its column in other
-			// projects when the issue is assigned to multiple projects.
-			_, err = db.GetEngine(ctx).Table("project_issue").
-				Where("issue_id = ? AND project_id = ?", issueID, column.ProjectID).
-				Update(map[string]any{
-					"project_board_id": column.ID,
-					"sorting":          sorting,
-				})
+			_, err = db.Exec(ctx, "UPDATE `project_issue` SET project_board_id=?, sorting=? WHERE issue_id=?", column.ID, sorting, issueID)
 			if err != nil {
 				return err
 			}
@@ -129,7 +123,7 @@ func LoadIssuesAssigneesForProject(ctx context.Context, issuesMap map[int64]issu
 func LoadIssuesFromProject(ctx context.Context, project *project_model.Project, opts *issues_model.IssuesOptions) (results map[int64]issues_model.IssueList, _ error) {
 	issueList, err := issues_model.Issues(ctx, opts.Copy(func(o *issues_model.IssuesOptions) {
 		o.ProjectIDs = []int64{project.ID}
-		o.SortType = "project-column-sorting"
+		o.SortType = issues_model.SortTypeProjectColumnSorting
 	}))
 	if err != nil {
 		return nil, err

services/projects/project.go

@@ -0,0 +1,44 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package project
+
+import (
+	"context"
+
+	"code.gitea.io/gitea/models/db"
+	project_model "code.gitea.io/gitea/models/project"
+	"code.gitea.io/gitea/modules/optional"
+)
+
+// UpdateProjectOptions represents updatable project fields. Fields with no value are left unchanged.
+type UpdateProjectOptions struct {
+	Title       optional.Option[string]
+	Description optional.Option[string]
+	CardType    optional.Option[project_model.CardType]
+	IsClosed    optional.Option[bool]
+}
+
+// UpdateProject applies the provided options to the project atomically.
+func UpdateProject(ctx context.Context, project *project_model.Project, opts UpdateProjectOptions) error {
+	return db.WithTx(ctx, func(ctx context.Context) error {
+		if opts.Title.Has() {
+			project.Title = opts.Title.Value()
+		}
+		if opts.Description.Has() {
+			project.Description = opts.Description.Value()
+		}
+		if opts.CardType.Has() {
+			project.CardType = opts.CardType.Value()
+		}
+		if err := project_model.UpdateProject(ctx, project); err != nil {
+			return err
+		}
+		if opts.IsClosed.Has() && opts.IsClosed.Value() != project.IsClosed {
+			if err := project_model.ChangeProjectStatus(ctx, project, opts.IsClosed.Value()); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}

tests/integration/api_repo_project_test.go

@@ -0,0 +1,686 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package integration
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	auth_model "code.gitea.io/gitea/models/auth"
+	issues_model "code.gitea.io/gitea/models/issues"
+	project_model "code.gitea.io/gitea/models/project"
+	repo_model "code.gitea.io/gitea/models/repo"
+	"code.gitea.io/gitea/models/unittest"
+	user_model "code.gitea.io/gitea/models/user"
+	api "code.gitea.io/gitea/modules/structs"
+	"code.gitea.io/gitea/tests"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAPIProjects(t *testing.T) {
+	defer tests.PrepareTestEnv(t)()
+	t.Run("ListProjects", testAPIListProjects)
+	t.Run("GetProject", testAPIGetProject)
+	t.Run("CreateProject", testAPICreateProject)
+	t.Run("UpdateProject", testAPIUpdateProject)
+	t.Run("ChangeProjectStatus", testAPIChangeProjectStatus)
+	t.Run("DeleteProject", testAPIDeleteProject)
+	t.Run("ListProjectColumns", testAPIListProjectColumns)
+	t.Run("CreateProjectColumn", testAPICreateProjectColumn)
+	t.Run("UpdateProjectColumn", testAPIUpdateProjectColumn)
+	t.Run("DeleteProjectColumn", testAPIDeleteProjectColumn)
+	t.Run("AddIssueToProjectColumn", testAPIAddIssueToProjectColumn)
+	t.Run("RemoveIssueFromProjectColumn", testAPIRemoveIssueFromProjectColumn)
+	t.Run("ListProjectColumnIssues", testAPIListProjectColumnIssues)
+	t.Run("Permissions", testAPIProjectPermissions)
+}
+
+func testAPIListProjects(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test listing all projects
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var projects []*api.Project
+	DecodeJSON(t, resp, &projects)
+
+	// Test state filter - open
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?state=open", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &projects)
+	for _, project := range projects {
+		assert.Equal(t, api.StateOpen, project.State, "Project should be open")
+	}
+
+	// Test state filter - all
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?state=all", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &projects)
+
+	// Test pagination
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects?page=1&limit=5", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusOK)
+}
+
+func testAPIGetProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Test Project for API",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test getting the project
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var apiProject api.Project
+	DecodeJSON(t, resp, &apiProject)
+	assert.Equal(t, project.Title, apiProject.Title)
+	assert.Equal(t, project.ID, apiProject.ID)
+	assert.Equal(t, repo.ID, apiProject.RepoID)
+	assert.NotEmpty(t, apiProject.HTMLURL)
+
+	// Test getting non-existent project
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/99999", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPICreateProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test creating a project
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title:        "API Created Project",
+		Description:  "This is a test project created via API",
+		TemplateType: "basic_kanban",
+		CardType:     "images_and_text",
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusCreated)
+
+	var project api.Project
+	DecodeJSON(t, resp, &project)
+	assert.Equal(t, "API Created Project", project.Title)
+	assert.Equal(t, "This is a test project created via API", project.Description)
+	assert.Equal(t, "basic_kanban", project.TemplateType)
+	assert.Equal(t, "images_and_text", project.CardType)
+	assert.Equal(t, api.StateOpen, project.State)
+
+	// Test creating with minimal data
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "Minimal Project",
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusCreated)
+
+	var minimalProject api.Project
+	DecodeJSON(t, resp, &minimalProject)
+	assert.Equal(t, "Minimal Project", minimalProject.Title)
+
+	// Test creating without authentication
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "Unauthorized Project",
+	})
+	MakeRequest(t, req, http.StatusUnauthorized)
+
+	// Test creating with invalid data (empty title)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects", owner.Name, repo.Name), &api.CreateProjectOption{
+		Title: "",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+}
+
+func testAPIUpdateProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project to Update",
+		Description:  "Original description",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test updating project title and description
+	newTitle := "Updated Project Title"
+	newDesc := "Updated description"
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title:       &newTitle,
+		Description: &newDesc,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedProject api.Project
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, newTitle, updatedProject.Title)
+	assert.Equal(t, newDesc, updatedProject.Description)
+
+	// Test updating non-existent project
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/99999", owner.Name, repo.Name), &api.EditProjectOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIChangeProjectStatus(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	project := &project_model.Project{
+		Title:        "Project to Close",
+		Description:  "Project to close and reopen",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	closed := api.StateClosed
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &closed,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedProject api.Project
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, api.StateClosed, updatedProject.State)
+	assert.NotNil(t, updatedProject.ClosedAt)
+
+	open := api.StateOpen
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &open,
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &updatedProject)
+	assert.Equal(t, api.StateOpen, updatedProject.State)
+
+	bogus := api.StateType("reopen")
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		State: &bogus,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+}
+
+func testAPIDeleteProject(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project to Delete",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test deleting the project
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	// Test deleting non-existent project (including the one we just deleted)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIListProjectColumns(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project for Columns Test",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	// Create test columns
+	for i := 1; i <= 3; i++ {
+		column := &project_model.Column{
+			Title:     fmt.Sprintf("Column %d", i),
+			ProjectID: project.ID,
+			CreatorID: owner.ID,
+		}
+		err = project_model.NewColumn(t.Context(), column)
+		assert.NoError(t, err)
+	}
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	// Test listing all columns — X-Total-Count must equal 3
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var columns []*api.ProjectColumn
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 3)
+	assert.Equal(t, "Column 1", columns[0].Title)
+	assert.Equal(t, "Column 2", columns[1].Title)
+	assert.Equal(t, "Column 3", columns[2].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test pagination: page 1 with limit 2 returns first 2 columns, total count still 3
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns?page=1&limit=2", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 2)
+	assert.Equal(t, "Column 1", columns[0].Title)
+	assert.Equal(t, "Column 2", columns[1].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test pagination: page 2 with limit 2 returns remaining column
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns?page=2&limit=2", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+	DecodeJSON(t, resp, &columns)
+	assert.Len(t, columns, 1)
+	assert.Equal(t, "Column 3", columns[0].Title)
+	assert.Equal(t, "3", resp.Header().Get("X-Total-Count"))
+
+	// Test listing columns for non-existent project
+	req = NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/99999/columns", owner.Name, repo.Name).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPICreateProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Project for Column Creation",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test creating a column with color
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "New Column",
+		Color: "#FF5733",
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusCreated)
+
+	var column api.ProjectColumn
+	DecodeJSON(t, resp, &column)
+	assert.Equal(t, "New Column", column.Title)
+	assert.Equal(t, "#FF5733", column.Color)
+	assert.Equal(t, project.ID, column.ProjectID)
+
+	// Test creating a column without color
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "Simple Column",
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusCreated)
+
+	DecodeJSON(t, resp, &column)
+	assert.Equal(t, "Simple Column", column.Title)
+
+	// Test creating with empty title
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns", owner.Name, repo.Name, project.ID), &api.CreateProjectColumnOption{
+		Title: "",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusUnprocessableEntity)
+
+	// Test creating for non-existent project
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/99999/columns", owner.Name, repo.Name), &api.CreateProjectColumnOption{
+		Title: "Orphan Column",
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIUpdateProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Column Update",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	column := &project_model.Column{
+		Title:     "Original Column",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+		Color:     "#000000",
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test updating column title
+	newTitle := "Updated Column"
+	req := NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID), &api.EditProjectColumnOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var updatedColumn api.ProjectColumn
+	DecodeJSON(t, resp, &updatedColumn)
+	assert.Equal(t, newTitle, updatedColumn.Title)
+
+	// Test updating column color
+	newColor := "#FF0000"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID), &api.EditProjectColumnOption{
+		Color: &newColor,
+	}).AddTokenAuth(token)
+	resp = MakeRequest(t, req, http.StatusOK)
+
+	DecodeJSON(t, resp, &updatedColumn)
+	assert.Equal(t, newColor, updatedColumn.Color)
+
+	// Test updating non-existent column
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/99999", owner.Name, repo.Name, project.ID), &api.EditProjectColumnOption{
+		Title: &newTitle,
+	}).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIDeleteProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Column Deletion",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+	column := &project_model.Column{
+		Title:     "Column to Delete",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test deleting the column
+	req := NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	// Test deleting non-existent column (including the one we just deleted)
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d/columns/%d", owner.Name, repo.Name, project.ID, column.ID).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIAddIssueToProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: repo.ID})
+
+	// Create a test project and column
+	project := &project_model.Project{
+		Title:        "Project for Issue Assignment",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	column1 := &project_model.Column{
+		Title:     "Column 1",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column1)
+	assert.NoError(t, err)
+
+	column2 := &project_model.Column{
+		Title:     "Column 2",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column2)
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Test adding issue to column
+	req := NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column1.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Verify issue is in the column
+	projectIssue := unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+	assert.Equal(t, column1.ID, projectIssue.ProjectColumnID)
+
+	// Test moving issue to another column
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column2.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Verify issue moved to new column
+	projectIssue = unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+	assert.Equal(t, column2.ID, projectIssue.ProjectColumnID)
+
+	// Test adding same issue to same column (should be idempotent)
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column2.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusCreated)
+
+	// Test adding non-existent issue
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column1.ID, 99999), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+
+	// Test adding to non-existent column
+	req = NewRequestWithJSON(t, "POST", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/99999/issues/%d", owner.Name, repo.Name, project.ID, issue.ID), nil).AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+}
+
+func testAPIListProjectColumnIssues(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 1})
+	pull := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{ID: 2})
+
+	project := &project_model.Project{
+		Title:        "Project for Column Issues",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	column := &project_model.Column{
+		Title:     "Column for Issues",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), issue, owner, []int64{project.ID})
+	assert.NoError(t, err)
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), pull, owner, []int64{project.ID})
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeReadIssue)
+
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d/columns/%d/issues", owner.Name, repo.Name, project.ID, column.ID).
+		AddTokenAuth(token)
+	resp := MakeRequest(t, req, http.StatusOK)
+
+	var issues []api.Issue
+	DecodeJSON(t, resp, &issues)
+	assert.Len(t, issues, 2)
+
+	issueIDs := make(map[int64]struct{}, len(issues))
+	for _, apiIssue := range issues {
+		issueIDs[apiIssue.ID] = struct{}{}
+	}
+	assert.Contains(t, issueIDs, issue.ID)
+	assert.Contains(t, issueIDs, pull.ID)
+}
+
+func testAPIRemoveIssueFromProjectColumn(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	issue := unittest.AssertExistsAndLoadBean(t, &issues_model.Issue{RepoID: repo.ID})
+
+	project := &project_model.Project{
+		Title:        "Project for Issue Removal",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	column := &project_model.Column{
+		Title:     "Column for Issue Removal",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), column)
+	assert.NoError(t, err)
+
+	otherColumn := &project_model.Column{
+		Title:     "Other Column",
+		ProjectID: project.ID,
+		CreatorID: owner.ID,
+	}
+	err = project_model.NewColumn(t.Context(), otherColumn)
+	assert.NoError(t, err)
+
+	err = issues_model.IssueAssignOrRemoveProject(t.Context(), issue, owner, []int64{project.ID})
+	assert.NoError(t, err)
+
+	token := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Removing via a column the issue does not live in must 404 and not detach the issue
+	req := NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, otherColumn.ID, issue.ID), nil).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNotFound)
+	unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+
+	req = NewRequestWithJSON(t, "DELETE", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d/columns/%d/issues/%d", owner.Name, repo.Name, project.ID, column.ID, issue.ID), nil).
+		AddTokenAuth(token)
+	MakeRequest(t, req, http.StatusNoContent)
+
+	unittest.AssertNotExistsBean(t, &project_model.ProjectIssue{
+		ProjectID: project.ID,
+		IssueID:   issue.ID,
+	})
+}
+
+func testAPIProjectPermissions(t *testing.T) {
+	repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: 1})
+	owner := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: repo.OwnerID})
+	nonCollaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{Name: "user5"})
+
+	// Create a test project
+	project := &project_model.Project{
+		Title:        "Permission Test Project",
+		RepoID:       repo.ID,
+		Type:         project_model.TypeRepository,
+		CreatorID:    owner.ID,
+		TemplateType: project_model.TemplateTypeNone,
+	}
+	err := project_model.NewProject(t.Context(), project)
+	assert.NoError(t, err)
+
+	ownerToken := getUserToken(t, owner.Name, auth_model.AccessTokenScopeWriteIssue)
+	nonCollaboratorToken := getUserToken(t, nonCollaborator.Name, auth_model.AccessTokenScopeWriteIssue)
+
+	// Owner should be able to read
+	req := NewRequestf(t, "GET", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(ownerToken)
+	MakeRequest(t, req, http.StatusOK)
+
+	// Owner should be able to update
+	newTitle := "Updated by Owner"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title: &newTitle,
+	}).AddTokenAuth(ownerToken)
+	MakeRequest(t, req, http.StatusOK)
+
+	// Non-collaborator should not be able to update
+	anotherTitle := "Updated by Non-collaborator"
+	req = NewRequestWithJSON(t, "PATCH", fmt.Sprintf("/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID), &api.EditProjectOption{
+		Title: &anotherTitle,
+	}).AddTokenAuth(nonCollaboratorToken)
+	MakeRequest(t, req, http.StatusForbidden)
+
+	// Non-collaborator should not be able to delete
+	req = NewRequestf(t, "DELETE", "/api/v1/repos/%s/%s/projects/%d", owner.Name, repo.Name, project.ID).
+		AddTokenAuth(nonCollaboratorToken)
+	MakeRequest(t, req, http.StatusForbidden)
+}

tests/integration/project_test.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"testing"
 
+	"code.gitea.io/gitea/models/db"
 	issues_model "code.gitea.io/gitea/models/issues"
 	project_model "code.gitea.io/gitea/models/project"
 	repo_model "code.gitea.io/gitea/models/repo"
@@ -60,7 +61,7 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 		assert.NoError(t, err)
 	}
 
-	columns, err := project1.GetColumns(t.Context())
+	columns, err := project_model.GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columns, 3)
 	assert.EqualValues(t, 0, columns[0].Sorting)
@@ -80,7 +81,7 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 	})
 	sess.MakeRequest(t, req, http.StatusOK)
 
-	columnsAfter, err := project1.GetColumns(t.Context())
+	columnsAfter, err := project_model.GetProjectColumns(t.Context(), project1.ID, db.ListOptionsAll)
 	assert.NoError(t, err)
 	assert.Len(t, columnsAfter, 3)
 	assert.Equal(t, columns[1].ID, columnsAfter[0].ID)
@@ -90,26 +91,6 @@ func TestMoveRepoProjectColumns(t *testing.T) {
 	assert.NoError(t, project_model.DeleteProjectByID(t.Context(), project1.ID))
 }
 
-func TestUpdateIssueProject(t *testing.T) {
-	defer tests.PrepareTestEnv(t)()
-
-	sess := loginUser(t, "user2")
-
-	t.Run("AssignAndRemove", func(t *testing.T) {
-		req := NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=2", map[string]string{
-			"id": "1",
-		})
-		sess.MakeRequest(t, req, http.StatusOK)
-		unittest.AssertExistsAndLoadBean(t, &project_model.ProjectIssue{IssueID: 2, ProjectID: 1})
-
-		req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=2", map[string]string{
-			"id": "",
-		})
-		sess.MakeRequest(t, req, http.StatusOK)
-		unittest.AssertNotExistsBean(t, &project_model.ProjectIssue{IssueID: 2, ProjectID: 1})
-	})
-}
-
 func TestUpdateIssueProjectColumn(t *testing.T) {
 	defer tests.PrepareTestEnv(t)()
 
@@ -158,7 +139,7 @@ func TestUpdateIssueProjectColumn(t *testing.T) {
 			Title:     "other column",
 			ProjectID: project2.ID,
 		}))
-		columns, err := project2.GetColumns(t.Context())
+		columns, err := project_model.GetProjectColumns(t.Context(), project2.ID, db.ListOptionsAll)
 		require.NoError(t, err)
 		require.NotEmpty(t, columns)
 
@@ -180,13 +161,13 @@ func TestIssueSidebarProjectColumn(t *testing.T) {
 	resp := sess.MakeRequest(t, req, http.StatusOK)
 	htmlDoc := NewHTMLParser(t, resp.Body)
 
-	cards := htmlDoc.Find(".flex-relaxed-list > .item.sidebar-project-card")
+	cards := htmlDoc.Find(".sidebar-project-card")
 	assert.Equal(t, 1, cards.Length())
 
-	title := cards.Find("a span.gt-ellipsis")
+	title := cards.Find(".sidebar-project-card a.suppressed .gt-ellipsis")
 	assert.Contains(t, strings.TrimSpace(title.Text()), "First project")
 
-	columnCombo := cards.Find(".issue-sidebar-combo.sidebar-project-column-combo")
+	columnCombo := cards.Find(".sidebar-project-column-combo")
 	assert.Equal(t, 1, columnCombo.Length())
 
 	defaultItem := columnCombo.Find(`.menu .item[data-value="1"]`)
@@ -201,14 +182,16 @@ func TestIssueSidebarProjectColumn(t *testing.T) {
 	assert.True(t, exists)
 	assert.Equal(t, "3", comboVal)
 
-	req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=5", map[string]string{"id": ""})
+	req = NewRequestWithValues(t, "POST", "/user2/repo1/issues/projects?issue_ids=5", map[string]string{
+		"id": "0",
+	})
 	sess.MakeRequest(t, req, http.StatusOK)
 
 	req = NewRequest(t, "GET", "/user2/repo1/issues/4")
 	resp = sess.MakeRequest(t, req, http.StatusOK)
 	htmlDoc = NewHTMLParser(t, resp.Body)
 
-	cards = htmlDoc.Find(".flex-relaxed-list > .item.sidebar-project-card")
+	cards = htmlDoc.Find(".sidebar-project-card")
 	assert.Equal(t, 0, cards.Length())
 }
 
@@ -311,6 +294,11 @@ func TestOrgProjectFilterByMilestone(t *testing.T) {
 	}
 	require.NoError(t, project_model.NewProject(t.Context(), &project))
 
+	// Get the default column
+	columns, err := project_model.GetProjectColumns(t.Context(), project.ID, db.ListOptionsAll)
+	require.NoError(t, err)
+	require.NotEmpty(t, columns)
+
 	// Add issues to the project
 	require.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue16, user1, []int64{project.ID}))
 	require.NoError(t, issues_model.IssueAssignOrRemoveProject(t.Context(), issue17, user1, []int64{project.ID}))