Fix 'visibleto' predicate for group

Issue:
When one uses a valid group name in 'visibleto' predicate no change
gets returned even if it should be from the access perspective.

Solution:
It boils down to the problem in ChangeIsVisibleToPredicate for
SingleGroupUser user - it is not an IdentifiedUser hence it gets
swapped for AnonymousUser and visibility check fails unless changes
in question are granted to Anonymous Users group. Fix it to let it
use the user it has in case it is SingleGroupUser or follow existing
user resolution (with fallback to anonymous) as it was before.

Bug: Issue 12606
Change-Id: Ieea8abf4b52d528d4cb2503270c7eff68476fc6c

java/com/google/gerrit/server/query/change/ChangeIsVisibleToPredicate.java

@@ -31,6 +31,7 @@ import com.google.gerrit.server.project.ProjectState;
 import com.google.gwtorm.server.OrmException;
 import com.google.inject.Provider;
 import java.io.IOException;
+import java.util.Optional;
 import org.eclipse.jgit.errors.RepositoryNotFoundException;
 
 public class ChangeIsVisibleToPredicate extends IsVisibleToPredicate<ChangeData> {
@@ -88,7 +89,10 @@ public class ChangeIsVisibleToPredicate extends IsVisibleToPredicate<ChangeData>
     PermissionBackend.WithUser withUser =
         user.isIdentifiedUser()
             ? permissionBackend.absentUser(user.getAccountId())
-            : permissionBackend.user(anonymousUserProvider.get());
+            : permissionBackend.user(
+                Optional.of(user)
+                    .filter(u -> u instanceof SingleGroupUser)
+                    .orElseGet(anonymousUserProvider::get));
     try {
       withUser.indexedChange(cd, notes).database(db).check(ChangePermission.READ);
     } catch (PermissionBackendException e) {