fix

models/issues/issue_project.go

@@ -113,7 +113,7 @@ func IssueAssignOrRemoveProject(ctx context.Context, issue *Issue, doer *user_mo
 				}
 				newColumnID = newDefaultColumn.ID
 			}
-			if !newProject.CanBeAccessedByOwnerRepo(issue.Repo.OwnerID, issue.Repo.ID) {
+			if !newProject.CanBeAccessedByOwnerRepo(issue.Repo.OwnerID, issue.Repo) {
 				return util.NewPermissionDeniedErrorf("issue %d can't be accessed by project %d", issue.ID, newProject.ID)
 			}
 		}

models/project/project.go

@@ -161,9 +161,9 @@ func (p *Project) IsRepositoryProject() bool {
 	return p.Type == TypeRepository
 }
 
-func (p *Project) CanBeAccessedByOwnerRepo(ownerID, repoID int64) bool {
+func (p *Project) CanBeAccessedByOwnerRepo(ownerID int64, repo *repo_model.Repository) bool {
 	if p.Type == TypeRepository {
-		return p.RepoID == repoID // if a project belongs to a repository, then its OwnerID is 0 and can be ignored
+		return repo != nil && p.RepoID == repo.ID // if a project belongs to a repository, then its OwnerID is 0 and can be ignored
 	}
 	return p.OwnerID == ownerID && p.RepoID == 0
 }

routers/web/shared/project/column.go

@@ -16,12 +16,8 @@ func MoveColumns(ctx *context.Context) {
 		ctx.NotFoundOrServerError("GetProjectByID", project_model.IsErrProjectNotExist, err)
 		return
 	}
-	if project.OwnerID > 0 && project.OwnerID != ctx.ContextUser.ID {
-		ctx.NotFound("InvalidOwnerID", nil)
-		return
-	}
-	if project.RepoID > 0 && project.RepoID != ctx.Repo.Repository.ID {
-		ctx.NotFound("InvalidRepoID", nil)
+	if !project.CanBeAccessedByOwnerRepo(ctx.ContextUser.ID, ctx.Repo.Repository) {
+		ctx.NotFound("CanBeAccessedByOwnerRepo", nil)
 		return
 	}