"/api/packages/{username}/nuget" will always return http.StatusOK no matter whether doer has permission

### Description

Related to https://github.com/go-gitea/gitea/pull/22705 CI result: https://drone.gitea.io/go-gitea/gitea/68876

It seems that `/api/packages/{ownername}/nuget` will always return `http.StatusOK` no matter whether doer has permission.
Is it by design?

If it is by design, I think it will be a security problem which is same as https://github.com/go-gitea/gitea/issues/23150.
If I give an unexisted username, it will return [Internal Server Error](https://try.gitea.io/api/packages/agfdsgs/nuget)
If I give an existed Private username, it will return [xml](https://try.gitea.io/api/packages/a/nuget)

### Gitea Version

latest

### Can you reproduce the bug on the Gitea demo site?

Yes

### Log Gist

_No response_

### Screenshots

_No response_

### Git Version

_No response_

### Operating System

_No response_

### How are you running Gitea?

build

### Database

None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

"/api/packages/{username}/nuget" will always return http.StatusOK no matter whether doer has permission #23349

Description

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Log Gist

Screenshots

Git Version

Operating System

How are you running Gitea?

Database

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

"/api/packages/{username}/nuget" will always return http.StatusOK no matter whether doer has permission #23349

Description

Description

Gitea Version

Can you reproduce the bug on the Gitea demo site?

Log Gist

Screenshots

Git Version

Operating System

How are you running Gitea?

Database

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions