SECURITY: missing security check prior to redirect

In some rare cases, if a user knows the exact title of a topic
they could possibly determine that it really exists in the system

app/controllers/topics_controller.rb

@@ -945,6 +945,8 @@ class TopicsController < ApplicationController
   end
 
   def redirect_to_correct_topic(topic, post_number = nil)
+    guardian.ensure_can_see!(topic)
+
     url = topic.relative_url
     url << "/#{post_number}" if post_number.to_i > 0
     url << ".json" if request.format.json?

spec/requests/topics_controller_spec.rb

@@ -1357,6 +1357,17 @@ RSpec.describe TopicsController do
       expect(response).to redirect_to(topic.relative_url)
     end
 
+    it 'will return a 403 if you try to redirect to a topic you have no access to' do
+      category = Fabricate(:category)
+      category.set_permissions(Group::AUTO_GROUPS[:staff] => :full)
+      category.save!
+
+      topic.update!(category_id: category.id)
+      get "/t/#{topic.slug}"
+
+      expect(response.status).to eq(403)
+    end
+
     it 'can find a topic when a slug has a number in front' do
       another_topic = Fabricate(:post).topic