Issue#visible_to_user doesn't check issues_access_level
issues_access_level is set to
ProjectFeature::PRIVATE this leads to information disclosures in the issues API and search results. This is being fixed in those cases by replacing
IssuesFinder in https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2031/, but might still be a problem elsewhere.
Additionally this method only checks project access if already chained as
project.issues.visible_to_user and doesn't if used as
To fix this and avoid future problems @DouweM suggested moving this method to
IssuesFinder so it can't be used directly.