[API] /repos/{owner}/{repo}/issues/{id}/times only lists times of the user which is calling the API

[samurous]

• Gitea version (or commit ref): 1.12.3
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)

Description

If the user is not an Admin of the repo, the API call will return only times added by the user calling the API.
But when accessing the front-end, the user can view all tracked times.

Example

• https://try.gitea.io/api/v1/repos/joasdasd/yolo/issues/1/times?access_token=a3bb82cd59526110314e8500e13f4923bc260409
• https://try.gitea.io/api/v1/repos/joasdasd/yolo/issues/1/times?access_token=7810f2ab636ad8c0ac62c55bc6e370c67af941cc
  The same call with different results, the first token belongs to the owner, the second to a collaborator with write access.

[noerw]

This limitation exists for privacy reasons:
Listing times on the UI is one thing, making them publicily available via API and thus large scale scrapable (across repos with a single request) a whole different thing.

#14081 will lower the requirement to access other users' times to issue managers, so I hope that helps.

[samurous]

Hmm, I don't think an attacker would be stopped by adding a barrier of web scraping. But reducing the access requirement to issue managers does help indeed, thank you!