In the REST API there are typically three types of requests: listing (e.g.
GET .../pulls) all the items, and
POST on each individual item.
pull-requests permission, I did an experiment where I set
pull-requests: none and I was still able to list the pull requests by accessing
.../pulls. Is this intentional? Is there any permission that controls access to this?
I noticed in the API documentation that the documentation is explicit about that POST requires write access, but it doesn’t say anything about permissions for listing pull requests or GETting a single pull request.