Use Gitlab::HTTP for all chat notifications

See merge request gitlab/gitlabhq!3544

Fix private comment Elasticsearch leak

See merge request gitlab/gitlabhq!3546

Escape namespace in label references

See merge request gitlab/gitlabhq!3550

Check permissions before showing a forked project's source

See merge request gitlab/gitlabhq!3555

Ensure attributes that end in `_ids` are cleaned

See merge request gitlab/gitlabhq!3558

This prevents an issue where you can steal other projects objects by
asking for ids that don't belong to you in import.

When referencing cross-namespace labels, we append the namespace name
to the rendered label.

This MR escapes the name to prevent XSS attacks.

Disabled features are ignored as they are grey areas

Some feature allows GUEST to access only if project is not private.
This method returns access level when targeting private projects.

Guest are blocked to certain feature when project is private,
therefore the scope would filter additionally with REPORTER level.

Remove impossible cases due to private project's features can only be
private or disabled.

Fix spec due to sidekiq indexing not triggered.

Update guest use cases: some features has additional constraint that
"Guest users are able to perform action on public/internal projects,
but not private ones."

[ci skip]

[ci skip]

[ci skip]

[ci skip]

Mask Sentry auth token

See merge request gitlab/gitlabhq!3504

Private/internal repository enumeration via bruteforce on a vulnerable URL

See merge request gitlab/gitlabhq!3491

Return 404 on LFS request if project doesn't exist

See merge request gitlab/gitlabhq!3506