Fix Alert Todo bug by passing current_user instead of assignee

What does this MR do?

This fixes a bug in alert todo assignment that I identified with @oregand's help upon verification. The assignee is always marked as the todo author since we pass the wrong arg.

This also keeps alert titles from being exposed to users who do not have permission.

Changes:

• Pass current_user, not assignee to ToDoService function.
• For now, guard creation of todo's for users who can not read alerts. This is in case a user with permissions mistakenly assigns a user without permissions. (Follow-up issue to not allow user without permissions to be assigned: #222672 (closed))
• Add a check for a nil current_user so that we return a permission error rather than raising a Runtime Error

Screenshots

Does this MR meet the acceptance criteria?

Conformity

• [-] Changelog entry no needed since this feature wasn't released yet
• [-] Documentation (if required)
• Code review guidelines
• Merge request performance guidelines
• Style guides
• [-] Database guides
• [-] Separation of EE specific content

Availability and Testing

• Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
• [-] Tested in all supported browsers
• [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

• [-] Label as security and @ mention @gitlab-com/gl-security/appsec
• [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
• [-] Security reports checked/validated by a reviewer from the AppSec team