Fix user display name permission check

The current_user and user were swapped in the permission check
for the UsersHelper#user_display_name method, resulting in
authenticated users seeing an unconfirmed user's full name on
the profile page.

app/helpers/users_helper.rb

@@ -181,7 +181,7 @@ module UsersHelper
   def user_display_name(user)
     return s_('UserProfile|Blocked user') if user.blocked?
 
-    can_read_profile = can?(user, :read_user_profile, current_user)
+    can_read_profile = can?(current_user, :read_user_profile, user)
     return s_('UserProfile|Unconfirmed user') unless user.confirmed? || can_read_profile
 
     user.name

spec/features/users/show_spec.rb

@@ -126,6 +126,7 @@ RSpec.describe 'User page' do
   context 'with unconfirmed user' do
     let_it_be(:user) { create(:user, :unconfirmed) }
 
+    shared_examples 'unconfirmed user profile' do
       before do
         visit_profile
       end
@@ -149,6 +150,20 @@ RSpec.describe 'User page' do
       end
     end
 
+    context 'when visited by an authenticated user' do
+      before do
+        authenticated_user = create(:user)
+        sign_in(authenticated_user)
+      end
+
+      it_behaves_like 'unconfirmed user profile'
+    end
+
+    context 'when visited by an unauthenticated user' do
+      it_behaves_like 'unconfirmed user profile'
+    end
+  end
+
   it 'shows the status if there was one' do
     create(:user_status, user: user, message: "Working hard!")
 

spec/helpers/users_helper_spec.rb

@@ -330,7 +330,7 @@ RSpec.describe UsersHelper do
     end
 
     def stub_profile_permission_allowed(allowed, current_user = nil)
-      allow(helper).to receive(:can?).with(user, :read_user_profile, current_user).and_return(allowed)
+      allow(helper).to receive(:can?).with(current_user, :read_user_profile, user).and_return(allowed)
     end
   end
 end