Private System Note Disclosure using GraphQL

### Summary When you use the REST API or UI to view an issue's discussion/notes, private system note is hidden to member's only. Such as moving an issue to a private project, making issue as duplicate of a confidential issue, someone mentioned this issue in a confidential issue. They are properly hidden in REST and UI, but you can still see them in graphql ### Steps to reproduce - Open a new private browser without an authenticated session - visit https://gitlab.com/-/graphql-explorer - paste this query and see the difference between UI https://gitlab.com/username16/ci-test/issues/1 <-- this is public project with public issue doing some private stuff and graphql response ``` query { project(fullPath:"username16/ci-test"){ issue(iid:"1"){ descriptionHtml notes{ edges{ node{ bodyHtml system author{ username } body } } } }} } ``` - You should notice it has moved to dynamic#1, which is not visible from UI - also you should be able to see it was marked as duplicate of #2, which is not visible from UI cause #2 is confidential - also you can see someone mentioned this issue in #2, which is not visible from UI cause #2 is confidentail ### Impact Disclosure of all system note of an issue/MR/designs that should be private ## Reproduced on gitlab.com ## Impact Disclosure of all system note of an issue/MR/designs that should be private