Merge branch 'security-fix-pat-web-access-11-5' into 'security-11-5'
[11.5] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2655
[11.5] Resolve "Personal access token with only `read_user` scope can be used to authenticate any web request" See merge request gitlab/gitlabhq!2655