Able to leak private email of any user given his/her username via graphql

### Summary Graphql query user is leaking private email of users ``` query { user(username:"<victim>"){ email username } } ``` ### Steps to reproduce (Step-by-step guide to reproduce the issue, including:) * Have a account with private email settings * Use graphql query to access the private email ``` query { user(username:"<victim>"){ email username } } ``` * Done ## Impact Leaks private emails of users by just knowing their usernames. Attacker can use this bug for mass leakage of gitlab users private emails.