make almost everything on Ability private

app/models/ability.rb

 class Ability
   class << self
+    # Given a list of users and a project this method returns the users that can
+    # read the given project.
+    def users_that_can_read_project(users, project)
+      if project.public?
+        users
+      else
+        users.select do |user|
+          if user.admin?
+            true
+          elsif project.internal? && !user.external?
+            true
+          elsif project.owner == user
+            true
+          elsif project.team.members.include?(user)
+            true
+          else
+            false
+          end
+        end
+      end
+    end
+    # Returns an Array of Issues that can be read by the given user.
+    #
+    # issues - The issues to reduce down to those readable by the user.
+    # user - The User for which to check the issues
+    def issues_readable_by_user(issues, user = nil)
+      return issues if user && user.admin?
+
+      issues.select { |issue| issue.visible_to_user?(user) }
+    end
+
+    # TODO: make this private and use the actual abilities stuff for this
+    def can_edit_note?(user, note)
+      return false if !note.editable? || !user.present?
+      return true if note.author == user || user.admin?
+
+      if note.project
+        max_access_level = note.project.team.max_member_access(user.id)
+        max_access_level >= Gitlab::Access::MASTER
+      else
+        false
+      end
     end
     def allowed?(user, action, subject)
@@ -16,6 +58,8 @@ class Ability
       RequestStore[key] ||= Set.new(uncached_allowed(user, subject)).freeze
     end
+    private
+
     def uncached_allowed(user, subject)
       return anonymous_abilities(subject) if user.nil?
       return [] unless user.is_a?(User)
@@ -44,38 +88,6 @@ class Ability
       end.concat(global_abilities(user))
     end
-    # Given a list of users and a project this method returns the users that can
-    # read the given project.
-    def users_that_can_read_project(users, project)
-      if project.public?
-        users
-      else
-        users.select do |user|
-          if user.admin?
-            true
-          elsif project.internal? && !user.external?
-            true
-          elsif project.owner == user
-            true
-          elsif project.team.members.include?(user)
-            true
-          else
-            false
-          end
-        end
-      end
-    end
-
-    # Returns an Array of Issues that can be read by the given user.
-    #
-    # issues - The issues to reduce down to those readable by the user.
-    # user - The User for which to check the issues
-    def issues_readable_by_user(issues, user = nil)
-      return issues if user && user.admin?
-
-      issues.select { |issue| issue.visible_to_user?(user) }
-    end
-
     # List of possible abilities for anonymous user
     def anonymous_abilities(user, subject)
       if subject.is_a?(PersonalSnippet)
@@ -420,18 +432,6 @@ class Ability
       GroupProjectsFinder.new(group).execute(user).any?
     end
-    def can_edit_note?(user, note)
-      return false if !note.editable? || !user.present?
-      return true if note.author == user || user.admin?
-
-      if note.project
-        max_access_level = note.project.team.max_member_access(user.id)
-        max_access_level >= Gitlab::Access::MASTER
-      else
-        false
-      end
-    end
-
     def namespace_abilities(user, namespace)
       rules = []
@@ -597,8 +597,6 @@ class Ability
       self
     end
-    private
-
     def restricted_public_level?
       current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
     end