Authorization scope for API calls favourited_by and reblogged_by #1088
Description
https://docs.joinmastodon.org/methods/statuses/#favourited_by says that the OAuth user token for /api/v1/statuses/:id/favourited_by needs scope read:statuses for private statuses. In fact, a token with this scope blocks the access (HTTP status code 403), even for a public status. (But it is possible to retrieve favouriting accounts for a public status without a token.) If the token includes scope read:accounts, then the API call is successful. Also the source code (https://github.com/mastodon/mastodon/blob/main/app/controllers/api/v1/statuses/favourited_by_accounts_controller.rb#L4) looks like scope read:accounts is required, but I don't really understand Ruby code.
The same seems to be true for /api/v1/statuses/:id/reblogged_by.
Or does the API documentation correctly describe the intended behavior and there is a bug in the implementation?