Merge 63db354aa2cd308e10205417d429dee8dcf85b5d into 3ab8ae5807775a81069005a5abbd20bacfa0a15f

modules/setting/restricted_user.go

@@ -0,0 +1,14 @@
+// Copyright 2025 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package setting
+
+var RestrictedUser = struct {
+	AllowEditDueDate bool
+}{}
+
+func loadRestrictedUserFrom(rootCfg ConfigProvider) {
+	sec := rootCfg.Section("restricted_user")
+
+	RestrictedUser.AllowEditDueDate = sec.Key("ALLOW_EDIT_DUE_DATE").MustBool(false)
+}

modules/setting/setting.go

@@ -203,6 +203,7 @@ func LoadSettings() {
 
 	loadDBSetting(CfgProvider)
 	loadServiceFrom(CfgProvider)
+	loadRestrictedUserFrom(CfgProvider)
 	loadOAuth2ClientFrom(CfgProvider)
 	loadCacheFrom(CfgProvider)
 	loadSessionFrom(CfgProvider)

routers/api/v1/repo/issue.go

@@ -845,6 +845,11 @@ func EditIssue(ctx *context.APIContext) {
 
 	// Update or remove the deadline, only if set and allowed
 	if (form.Deadline != nil || form.RemoveDeadline != nil) && canWrite {
+		if ctx.Doer.IsRestricted && !setting.RestrictedUser.AllowEditDueDate {
+			ctx.APIError(http.StatusForbidden, "restricted users cannot modify due dates")
+			return
+		}
+
 		var deadlineUnix timeutil.TimeStamp
 
 		if form.RemoveDeadline == nil || !*form.RemoveDeadline {

routers/web/repo/issue.go

@@ -24,6 +24,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup/markdown"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/util"
@@ -397,6 +398,11 @@ func UpdateIssueDeadline(ctx *context.Context) {
 		return
 	}
 
+	if ctx.Doer.IsRestricted && !setting.RestrictedUser.AllowEditDueDate {
+		ctx.HTTPError(http.StatusForbidden, "", "restricted users cannot modify due dates")
+		return
+	}
+
 	deadlineUnix, _ := common.ParseDeadlineDateToEndOfDay(ctx.FormString("deadline"))
 	if err := issues_model.UpdateIssueDeadline(ctx, issue, deadlineUnix, ctx.Doer); err != nil {
 		ctx.HTTPError(http.StatusInternalServerError, "UpdateIssueDeadline", err.Error())

routers/web/repo/issue_view.go

@@ -411,6 +411,7 @@ func ViewIssue(ctx *context.Context) {
 	ctx.Data["SignInLink"] = setting.AppSubURL + "/user/login?redirect_to=" + url.QueryEscape(ctx.Data["Link"].(string))
 	ctx.Data["IsIssuePoster"] = ctx.IsSigned && issue.IsPoster(ctx.Doer.ID)
 	ctx.Data["HasIssuesOrPullsWritePermission"] = ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull)
+	ctx.Data["AllowEditDueDate"] = ctx.Repo.CanWriteIssuesOrPulls(issue.IsPull) && !(ctx.Doer.IsRestricted && !setting.RestrictedUser.AllowEditDueDate)
 	ctx.Data["HasProjectsWritePermission"] = ctx.Repo.CanWrite(unit.TypeProjects)
 	ctx.Data["IsRepoAdmin"] = ctx.IsSigned && (ctx.Repo.IsAdmin() || ctx.Doer.IsAdmin)
 	ctx.Data["LockReasons"] = setting.Repository.Issue.LockReasons

templates/repo/issue/sidebar/due_date.tmpl

@@ -7,7 +7,7 @@
 				{{svg "octicon-calendar"}} {{DateUtils.AbsoluteLong .Issue.DeadlineUnix}}
 			</div>
 			<div class="flex-text-block">
-				{{if and .HasIssuesOrPullsWritePermission (not .Repository.IsArchived)}}
+				{{if and .AllowEditDueDate (not .Repository.IsArchived)}}
 					<a class="issue-due-edit muted" data-tooltip-content="{{ctx.Locale.Tr "repo.issues.due_date_form_edit"}}">{{svg "octicon-pencil"}}</a>
 					<a class="issue-due-remove muted" data-tooltip-content="{{ctx.Locale.Tr "repo.issues.due_date_form_remove"}}">{{svg "octicon-trash"}}</a>
 				{{end}}
@@ -17,7 +17,7 @@
 		{{ctx.Locale.Tr "repo.issues.due_date_not_set"}}
 	{{end}}
 
-	{{if and .HasIssuesOrPullsWritePermission (not .Repository.IsArchived)}}
+	{{if and .AllowEditDueDate (not .Repository.IsArchived)}}
 		<form class="ui fluid action input issue-due-form form-fetch-action tw-mt-2 {{if .Issue.DeadlineUnix}}tw-hidden{{end}}"
 					method="post" action="{{AppSubUrl}}/{{PathEscape .Repository.Owner.Name}}/{{PathEscape .Repository.Name}}/issues/{{.Issue.Index}}/deadline"
 		>