From c945223a5e05e71b513e0d82cdd0fc8b497f9cd0 Mon Sep 17 00:00:00 2001
From: t-h-i-s <233791980+t-h-i-s@users.noreply.github.com>
Date: Thu, 25 Sep 2025 14:58:07 +0200
Subject: [PATCH] routers/web/repo.issue.go: prohibit set of due date for
 restricted users in web interface

---
 routers/web/repo/issue.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/routers/web/repo/issue.go b/routers/web/repo/issue.go
index 54b7e5df2a..374dfaf3a1 100644
--- a/routers/web/repo/issue.go
+++ b/routers/web/repo/issue.go
@@ -24,6 +24,7 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/markup/markdown"
 	"code.gitea.io/gitea/modules/optional"
+	"code.gitea.io/gitea/modules/setting"
 	api "code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/util"
@@ -397,6 +398,11 @@ func UpdateIssueDeadline(ctx *context.Context) {
 		return
 	}
 
+	if ctx.Doer.IsRestricted && !setting.RestrictedUser.AllowEditDueDate {
+		ctx.HTTPError(http.StatusForbidden, "", "restricted users cannot modify due dates")
+		return
+	}
+
 	deadlineUnix, _ := common.ParseDeadlineDateToEndOfDay(ctx.FormString("deadline"))
 	if err := issues_model.UpdateIssueDeadline(ctx, issue, deadlineUnix, ctx.Doer); err != nil {
 		ctx.HTTPError(http.StatusInternalServerError, "UpdateIssueDeadline", err.Error())