[API] Edit PR has wrong permission model

[noerw]

• Gitea version (or commit ref): 1.14.0+dev-374-g287b59480

Description

Users may want to close their pull request via API.
To do so, currently only PATCH /repos/{owner}/{repo}/pulls/{index} is available.
This API is enabled only for repo owners, meaning a PR author gets 403 Forbidden, even if they only update the state field.

Either make the permission check more granular, or add a separate API to open/close PRs.

I believe the same applies for Issues (PATCH /repos/{owner}/{repo}/issues/{index}), but I didn't verify
This problem does not apply to the matchin issues endpoint

[CirnoT]

This API is enabled only for repo owners

Are you sure it's limited to owners? Renovate Bot has no issues closing PRs for me but it is added as collaborator with Write access.

Either make the permission check more granular, or add a separate API to open/close PRs.

Definitely should fix it on existing API endpoint

[noerw]

@CirnoT No not sure, it could very well be the read/write permission boundary