SECURITY: Remove indication that a group exists if user can't see it.

SECURITY: Remove indication that a group exists if user can’t see it.

Minor security fix but we should not leak any hints that a group exists even if a user does not have access to the group.

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index dedb393..ac6c813 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -629,7 +629,7 @@ class GroupsController < ApplicationController
   def find_group(param_name, ensure_can_see: true)
     name = params.require(param_name)
     group = Group.find_by("LOWER(name) = ?", name.downcase)
-    guardian.ensure_can_see!(group) if ensure_can_see
+    raise Discourse::NotFound if ensure_can_see && !guardian.can_see_group?(group)
     group
   end
 
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
index f1a2b2d..b122604 100644
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -357,7 +357,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "returns the right response" do
@@ -430,7 +430,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/posts.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "ensures the group members can be seen" do
@@ -473,7 +473,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/members.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "ensures the group members can be seen" do
@@ -1888,7 +1888,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/permissions.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     describe "with varying category permissions" do

GitHub sha: b0f22f25