This reverts merge request !10845

- We upgraded `rugged` to 0.25.1.1 in !10286 for %9.1

- Prior to this upgrade, the default sort order for commits returned by
  `Gitlab::Git::Repository#find_commits` was `Rugged::SORT_DATE`, which the
  graph relied on.

- While upgrading `rugged`, the MR also changed this default to
  `Rugged::SORT_NONE`, which broke commit ordering in the graph.

- This commit adds an option to `Gitlab::Git::Repository#find_commits` to sort
  by date, and changes the graph builder `Network::Graph` so it explictly
  requests the `:date` sort order

Because the post-processing of the rendered README is dependent on the
context (i.e. the current user), do the post-processing when the
README is being displayed.

TodoService should not call `.select(&:id)` on todos, because this is
bad performance. So instead use sub-queries, which will result in a
single SQL query to the database.

https://docs.gitlab.com/ee/development/sql.html#plucking-ids

- Currently, (for example) admins can't delete snippets for blocked users, which
  is an unexpected limitation.

- We modify `authenticate!` to conduct the `access_api` policy check against the
  `initial_current_user`, instead of the user being impersonated.

- Update CHANGELOG for !10842

The problem is that we often go via a diff object constructed from the diffs
stored in the DB. Those diffs, by definition, don't overflow, so we don't have
access to the 'correct' `real_size` - that is stored on the MR diff object
iself.

Closes #31280

- To prevent an attacker from enumerating the `/users` API to get a list of all
  the admins.

- Display the `is_admin?` flag wherever we display the `private_token` - at the
  moment, there are two instances:

  - When an admin uses `sudo` to view the `/user` endpoint
  - When logging in using the `/session` endpoint

Instead of doing hacks like http://stackoverflow.com/a/26082612/974710