Details of blocking merge request can be exposed via list and get merge request dependencies API endpoints

Background

It was discovered in #364160 (comment 2121282707) that there's a vulnerability in list and get API endpoints of merge request dependencies.

How to reproduce

1. Create a private project with a MR (private-mr).
2. Create a public project with a MR (public-mr).
3. Add private-mr as dependency of public-mr.
4. View the blocks of public-mr via list or get API even as non-signed in user. (e.g. http://gdk.test:3000/api/v4/projects/1/merge_requests/1/blocks or http://gdk.test:3000/api/v4/projects/1/merge_requests/1/blocks/1).
5. You'll be able to see the details of private-mr as blocking_merge_request.

Expected Behavior

The details of private-mr shouldn't be exposed.

Proposed fix

Don't include any blocks wherein current_user cannot read the blocking_merge_request from the response.

OR

1. Still return the API::Entities::MergeRequestDependency entity but blocking_merge_request should be nil if current_user can't read it.
2. Add a hidden_blocking_merge_request attribute to API::Entities::MergeRequestDependency and it should be true or false depending if current_user can read the blocking merge request.