Contributes to https://gitlab.com/gitlab-org/gitlab/-/issues/277376

**Problem**

We expose participants that current user cannot see, because we don't
provide the current user as an argument to participants method in
GraphQL. When user is missing, then we use author of the issuable
permissions to fetch participants.

**Solution**

* Add GraphQL resolver to participants field
* Return only visible participants for issues/MRs API
* Verify that participable object is readable by user
* Remove fallback to author when current user is not set