feat(api): Add assignees APIs (#37330)

Follow
https://docs.github.com/en/enterprise-server@3.20/rest/issues/assignees?apiVersion=2022-11-28

Fix #33576 

And it also fixed some possible dead-lock problem.

---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>

routers/api/v1/api.go

@@ -1226,6 +1226,7 @@ func Routes() *web.Router {
 					})
 				}, reqToken())
 				m.Get("/assignees", reqToken(), reqAnyRepoReader(), repo.GetAssignees)
+				m.Get("/assignees/{assignee}", reqToken(), reqAnyRepoReader(), repo.CheckRepoIssueAssignee)
 				m.Get("/reviewers", reqToken(), reqAnyRepoReader(), repo.GetReviewers)
 				m.Group("/teams", func() {
 					m.Get("", reqAnyRepoReader(), repo.ListTeams)
@@ -1517,6 +1518,10 @@ func Routes() *web.Router {
 						m.Combo("").Get(repo.GetIssue).
 							Patch(reqToken(), bind(api.EditIssueOption{}), repo.EditIssue).
 							Delete(reqToken(), reqAdmin(), context.ReferencesGitRepo(), repo.DeleteIssue)
+						m.Combo("/assignees").
+							Post(reqToken(), mustNotBeArchived, bind(api.IssueAssigneesOption{}), repo.AddIssueAssignees).
+							Delete(reqToken(), mustNotBeArchived, bind(api.IssueAssigneesOption{}), repo.DeleteIssueAssignees)
+						m.Get("/assignees/{assignee}", repo.CheckIssueAssignee)
 						m.Group("/comments", func() {
 							m.Combo("").Get(repo.ListIssueComments).
 								Post(reqToken(), mustNotBeArchived, bind(api.CreateIssueCommentOption{}), repo.CreateIssueComment)

routers/api/v1/repo/collaborators.go

@@ -367,5 +367,42 @@ func GetAssignees(ctx *context.APIContext) {
 		ctx.APIErrorInternal(err)
 		return
 	}
+
 	ctx.JSON(http.StatusOK, convert.ToUsers(ctx, ctx.Doer, assignees))
 }
+
+// CheckRepoIssueAssignee check if a user can be assigned to issues in a repository
+func CheckRepoIssueAssignee(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/assignees/{assignee} repository repoCheckAssignee
+	// ---
+	// summary: Check if a user can be assigned to issues in a repository
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: assignee
+	//   in: path
+	//   description: username of the user to check for being an assignee
+	//   type: string
+	//   required: true
+	// responses:
+	//   "204":
+	//     "$ref": "#/responses/empty"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	if checkAssignableUser(ctx, ctx.PathParam("assignee"), ctx.Repo.Repository) {
+		ctx.Status(http.StatusNoContent)
+	}
+}

routers/api/v1/repo/issue.go

@@ -670,7 +670,7 @@ func CreateIssue(ctx *context.APIContext) {
 				return
 			}
 
-			valid, err := access_model.CanBeAssigned(ctx, assignee, ctx.Repo.Repository, false)
+			valid, err := access_model.CanBeAssigned(ctx, assignee, ctx.Repo.Repository)
 			if err != nil {
 				ctx.APIErrorInternal(err)
 				return

routers/api/v1/repo/issue_assignee.go

@@ -0,0 +1,238 @@
+// Copyright 2026 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package repo
+
+import (
+	"net/http"
+
+	issues_model "gitea.dev/models/issues"
+	access_model "gitea.dev/models/perm/access"
+	repo_model "gitea.dev/models/repo"
+	user_model "gitea.dev/models/user"
+	api "gitea.dev/modules/structs"
+	"gitea.dev/modules/web"
+	"gitea.dev/services/context"
+	"gitea.dev/services/convert"
+	issue_service "gitea.dev/services/issue"
+)
+
+// AddIssueAssignees add assignees to an issue
+func AddIssueAssignees(ctx *context.APIContext) {
+	// swagger:operation POST /repos/{owner}/{repo}/issues/{index}/assignees issue issueAddAssignees
+	// ---
+	// summary: Add assignees to an issue
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: index
+	//   in: path
+	//   description: index of the issue
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// - name: body
+	//   in: body
+	//   required: true
+	//   schema:
+	//     "$ref": "#/definitions/IssueAssigneesOption"
+	// responses:
+	//   "201":
+	//     "$ref": "#/responses/Issue"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	opts := web.GetForm(ctx).(*api.IssueAssigneesOption)
+	updateIssueAssignees(ctx, *opts, true)
+}
+
+// DeleteIssueAssignees remove assignees from an issue
+func DeleteIssueAssignees(ctx *context.APIContext) {
+	// swagger:operation DELETE /repos/{owner}/{repo}/issues/{index}/assignees issue issueRemoveAssignees
+	// ---
+	// summary: Remove assignees from an issue
+	// consumes:
+	// - application/json
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: index
+	//   in: path
+	//   description: index of the issue
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// - name: body
+	//   in: body
+	//   required: true
+	//   schema:
+	//     "$ref": "#/definitions/IssueAssigneesOption"
+	// responses:
+	//   "200":
+	//     "$ref": "#/responses/Issue"
+	//   "403":
+	//     "$ref": "#/responses/forbidden"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+	//   "422":
+	//     "$ref": "#/responses/validationError"
+
+	opts := web.GetForm(ctx).(*api.IssueAssigneesOption)
+	updateIssueAssignees(ctx, *opts, false)
+}
+
+// CheckIssueAssignee check if a user can be assigned to an issue
+func CheckIssueAssignee(ctx *context.APIContext) {
+	// swagger:operation GET /repos/{owner}/{repo}/issues/{index}/assignees/{assignee} issue issueCheckAssignee
+	// ---
+	// summary: Check if a user can be assigned to an issue
+	// produces:
+	// - application/json
+	// parameters:
+	// - name: owner
+	//   in: path
+	//   description: owner of the repo
+	//   type: string
+	//   required: true
+	// - name: repo
+	//   in: path
+	//   description: name of the repo
+	//   type: string
+	//   required: true
+	// - name: index
+	//   in: path
+	//   description: index of the issue
+	//   type: integer
+	//   format: int64
+	//   required: true
+	// - name: assignee
+	//   in: path
+	//   description: username of the user to check for being an assignee
+	//   type: string
+	//   required: true
+	// responses:
+	//   "204":
+	//     "$ref": "#/responses/empty"
+	//   "400":
+	//     "$ref": "#/responses/error"
+	//   "404":
+	//     "$ref": "#/responses/notFound"
+
+	issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, ctx.PathParamInt64("index"))
+	if err != nil {
+		ctx.APIErrorAuto(err)
+		return
+	}
+
+	if !ctx.Repo.Permission.CanReadIssuesOrPulls(issue.IsPull) {
+		ctx.APIErrorNotFound()
+		return
+	}
+
+	if checkAssignableUser(ctx, ctx.PathParam("assignee"), ctx.Repo.Repository) {
+		ctx.Status(http.StatusNoContent)
+	}
+}
+
+// checkAssignableUser resolves assigneeName and verifies the user can be assigned to issues in repo.
+// Returns true only when the user resolves AND is assignable; the caller is responsible for writing the 204.
+// On any failure it writes the appropriate API response and returns false.
+func checkAssignableUser(ctx *context.APIContext, assigneeName string, repo *repo_model.Repository) bool {
+	assignee, err := user_model.GetUserByName(ctx, assigneeName)
+	if err != nil {
+		ctx.APIErrorAuto(err)
+		return false
+	}
+
+	canAssign, err := access_model.CanBeAssigned(ctx, assignee, repo)
+	if err != nil {
+		ctx.APIErrorAuto(err)
+		return false
+	}
+
+	if !canAssign {
+		ctx.APIErrorNotFound()
+		return false
+	}
+
+	return true
+}
+
+func updateIssueAssignees(ctx *context.APIContext, opts api.IssueAssigneesOption, isAdd bool) {
+	issue, err := issues_model.GetIssueByIndex(ctx, ctx.Repo.Repository.ID, ctx.PathParamInt64("index"))
+	if err != nil {
+		ctx.APIErrorAuto(err)
+		return
+	}
+
+	if !ctx.Repo.Permission.CanWriteIssuesOrPulls(issue.IsPull) {
+		ctx.Status(http.StatusForbidden)
+		return
+	}
+
+	if err := issue.LoadAttributes(ctx); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	assigneeIDs, err := user_model.GetUserIDsByNames(ctx, opts.Assignees, false)
+	if err != nil {
+		if user_model.IsErrUserNotExist(err) {
+			ctx.APIError(http.StatusUnprocessableEntity, err.Error())
+			return
+		}
+		ctx.APIErrorAuto(err)
+		return
+	}
+
+	if isAdd {
+		err = issue_service.AddAssignees(ctx, issue, ctx.Doer, assigneeIDs)
+	} else {
+		err = issue_service.RemoveAssignees(ctx, issue, ctx.Doer, assigneeIDs)
+	}
+
+	if err != nil {
+		ctx.APIErrorAuto(err)
+		return
+	}
+
+	issue, err = issues_model.GetIssueByID(ctx, issue.ID)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	status := http.StatusOK
+	if isAdd {
+		status = http.StatusCreated
+	}
+	ctx.JSON(status, convert.ToAPIIssue(ctx, ctx.Doer, issue))
+}

routers/api/v1/repo/pull.go

@@ -545,7 +545,7 @@ func CreatePullRequest(ctx *context.APIContext) {
 			return
 		}
 
-		valid, err := access_model.CanBeAssigned(ctx, assignee, repo, true)
+		valid, err := access_model.CanBeAssigned(ctx, assignee, repo)
 		if err != nil {
 			ctx.APIErrorInternal(err)
 			return

routers/api/v1/swagger/options.go

@@ -36,6 +36,8 @@ type swaggerParameterBodies struct {
 	EditIssueOption api.EditIssueOption
 	// in:body
 	EditDeadlineOption api.EditDeadlineOption
+	// in:body
+	IssueAssigneesOption api.IssueAssigneesOption
 
 	// in:body
 	CreateIssueCommentOption api.CreateIssueCommentOption

routers/web/repo/issue.go

@@ -458,7 +458,7 @@ func UpdateIssueAssignee(ctx *context.Context) {
 				return
 			}
 
-			valid, err := access_model.CanBeAssigned(ctx, assignee, issue.Repo, issue.IsPull)
+			valid, err := access_model.CanBeAssigned(ctx, assignee, issue.Repo)
 			if err != nil {
 				ctx.ServerError("canBeAssigned", err)
 				return