diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 0a39c58b7ea..0a4a1834be0 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -555,10 +555,24 @@ class PostsController < ApplicationController
   end
 
   def flagged_posts
-    deprecate('posts#flagged_posts is deprecated. Please use /review instead.', since: '2.8.0.beta4', drop_from: '2.9')
-    review_queue_url = path("/review?status=all&type=ReviewableFlaggedPost&username=#{params[:username]}")
+    Discourse.deprecate(
+      'PostsController#flagged_posts is deprecated. Please use /review instead.',
+      since: '2.8.0.beta4', drop_from: '2.9'
+    )
 
-    redirect_to review_queue_url, status: 301
+    params.permit(:offset, :limit)
+    guardian.ensure_can_see_flagged_posts!
+
+    user = fetch_user_from_params
+    offset = [params[:offset].to_i, 0].max
+    limit = [(params[:limit] || 60).to_i, 100].min
+
+    posts = user_posts(guardian, user.id, offset: offset, limit: limit)
+      .where(id: PostAction.where(post_action_type_id: PostActionType.notify_flag_type_ids)
+                                   .where(disagreed_at: nil)
+                                   .select(:post_id))
+
+    render_serialized(posts, AdminUserActionSerializer)
   end
 
   def deleted_posts
diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb
index 41f33135dd9..ec5bf414631 100644
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@@ -1705,6 +1705,44 @@ describe PostsController do
     end
   end
 
+  describe '#flagged_posts' do
+    include_examples "action requires login", :get, "/posts/system/flagged.json"
+
+    describe "when logged in" do
+      it "raises an error if the user doesn't have permission to see the flagged posts" do
+        sign_in(user)
+        get "/posts/system/flagged.json"
+        expect(response).to be_forbidden
+      end
+
+      it "can see the flagged posts when authorized" do
+        sign_in(moderator)
+        get "/posts/system/flagged.json"
+        expect(response.status).to eq(200)
+      end
+
+      it "only shows agreed and deferred flags" do
+        post_agreed = create_post(user: user)
+        post_deferred = create_post(user: user)
+        post_disagreed = create_post(user: user)
+
+        r0 = PostActionCreator.spam(moderator, post_agreed).reviewable
+        r1 = PostActionCreator.off_topic(moderator, post_deferred).reviewable
+        r2 = PostActionCreator.inappropriate(moderator, post_disagreed).reviewable
+
+        r0.perform(admin, :agree_and_keep)
+        r1.perform(admin, :ignore)
+        r2.perform(admin, :disagree)
+
+        sign_in(Fabricate(:moderator))
+        get "/posts/#{user.username}/flagged.json"
+        expect(response.status).to eq(200)
+
+        expect(response.parsed_body.length).to eq(2)
+      end
+    end
+  end
+
   describe '#deleted_posts' do
     include_examples "action requires login", :get, "/posts/system/deleted.json"