Fix org team assignee/reviewer lookups for team member permissions

[pisarz77]

Fix team members missing from assignee list when team_unit.access_mode is 0 but the doer is owner.

Fix #34871

1. Use GetTeamUserIDsWithAccessToAnyRepoUnit for repo assignee list
2. Load assignee list for project issues directly
3. Use GetTeamUserIDsWithAccessToAnyRepoUnit for repo reviewer list

[wxiaoguang]

The proper fix should use GetUserIDsWithUnitAccess or GetTeamUserIDsWithAccessToAnyRepoUnit

[pisarz77]

Updated per review: dropped the migration entirely and refactored GetRepoAssignees to use organization.GetTeamUserIDsWithAccessToAnyRepoUnit, which also matches teams via team.authorize so Owner-team members come through even when team_unit.access_mode is stale.

Two calls preserve the previous condition (write to any unit + read on PullRequests). Existing TestRepoAssignees passes locally. Force-pushed to the branch.

[pisarz77]

Used GetTeamUserIDsWithAccessToAnyRepoUnit directly. GetUserIDsWithUnitAccess isn't reachable from models/repo without creating an import cycle (models/perm/access already imports models/repo), so the function is effectively re-implemented in place: read the access table once, then delegate the team-member lookup to the helper for both the "write on any repo unit" and "read on PullRequests" cases.

Happy to move GetRepoAssignees into models/perm/access (or another package that can import access) and collapse to two GetUserIDsWithUnitAccess calls instead if you'd prefer that shape — that touches ~12 callers across routers/ and models/. Let me know which direction you want.

[wxiaoguang]

Are you sure GetRepoAssignees is not right? It already calls GetTeamUserIDsWithAccessToAnyRepoUnit, the SQL already uses team.authorize

The SQL you showed Join("INNER", "team_unit", "`team_unit`.team_id = `team_user`.team_id"). doesn't belong to GetRepoAssignees either.

[pisarz77]

Good catch — the same raw team_user × team_unit JOIN existed in GetOrgAssignees (org-level assignee picker, e.g. org Kanban project boards) and services/pull.GetReviewers (PR reviewer picker). Extended the PR to cover all three call sites:

• GetRepoAssignees (per-repo) → GetTeamUserIDsWithAccessToAnyRepoUnit
• GetReviewers (per-repo, PR) → same helper
• GetOrgAssignees (org-wide) → new sibling helper GetTeamUserIDsWithAccessToAnyRepoUnitInOrg (same OR logic, no per-repo filter)

Also picked up a pre-existing guard in GetOrgAssignees that skipped the final user lookup when the direct-access list was empty but the team-based list wasn't.

TestRepoAssignees, TestRepoGetReviewers, TestRepoGetReviewerTeams all pass locally. No schema changes.

[wxiaoguang]

The changed GetOrgAssignees and newly added GetTeamUserIDsWithAccessToAnyRepoUnitInOrg actually is not right.

// GetOrgAssignees returns all users that have write access and can be assigned to issues
// of the any repository in the organization.
func GetOrgAssignees(ctx context.Context, orgID int64) (_ []*user_model.User, err error) {

What if user-a has no access to repo-1? Actually the design here is totally a mess and no clear fix:

• org-level project can contain any issue from any repo
• some users have access to repo-1 , but not repo-2, while some users can be on the contrary.

[wxiaoguang]

To make things simple, it can simpliy list all org members for the "project assignee list"

assigneeUsers, err := org_model.GetOrgAssignees(ctx, project.OwnerID) -> change it to list all members

[wxiaoguang]

OK, even simpler, since you already have all issues for all project columns, so you should already be able to know all assignees here.

[silverwind]

Some cleanups and a test in b7ccc56.