New commit status API doesn't check permissions properly

[leytilera]

Description

Using the Gitea API it is currrently possible with the new commit status endpoint to add a commit status to a repository, even if you don't have write access to that repository. This function does not check, if the user has access to the repository.

Gitea Version

from 1.16.8 to 1.18.0+dev-90-gc8e0fd0bc

Can you reproduce the bug on the Gitea demo site?

Yes

[zeripath]

Thank you for reporting this, but in future please report issues like this directly to security@gitea.io .

NOTE: If your issue is a security concern, please send an email to security@gitea.io instead of opening a public issue.

By opening a public issue like this you've advertised this issue to everyone reading the bug tracker before we have had a chance to fix this or release a fixed version.

[6543]

@leytilera **PLEASE follow SECURITY.md next time

& thanks for reporting