Project name leak on todos page
Summary
On the todos page, you can pass in any project ID and see that project's name.
Steps to reproduce
Go to https://gitlab.com/dashboard/todos?project_id=12345. This shows a private project, which I don't have access to, as the title of the dropdown.
What is the current bug behavior?
Any project ID is accepted and used to get the title of the dropdown, without access checks.
What is the expected correct behavior?
If you pass the ID of a project you can't see, it should behave the same as passing the ID of a deleted project.
project_dropdown_label
is the offending helper, added in 8.12: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/6072
This behaves like user_dropdown_label
above it, but note that users are OK, because any user can see any other user's name - that's not private information in GitLab terms.