ESCALATED: available_custom_project_templates does not check the access level of the user

This is the 2nd vulnerability described at https://gitlab.com/gitlab-org/gitlab-ce/issues/67109

This is where the second vulnerability can be found. The ProjectsFinder uses an initial collection, which consists of the projects the authenticated user can access. However, it does not check the access level of the user. This means that any project that is public, but has Repository, Issue, Snippets (etc.) access disabled for Guests, will be returned by the available_custom_project_templates method on the User model. In a perfect world, it seems that this method would limit the projects that can be returned based on the user's permissions for said projects.