@Cache-Money discovered that projects residing in organization-owned repositories did not correctly enforce authorization for users added as read-only collaborators. Read-only collaborators should not have write-access to project boards but it was still possible for them to add issues to existing projects even though it was explicitly disabled in the UI. We addressed this issue by adding an authorization check that ensures users only have write-access to a project if they have write-access to the corresponding repository.