return 403 when trying drafts of another user

app/controllers/drafts_controller.rb

@@ -16,8 +16,6 @@ class DraftsController < ApplicationController
       limit: params[:limit]
     }
 
-    help_key = "user_activity.no_drafts"
-
     if user == current_user
       stream = Draft.stream(opts)
       stream.each do |d|
@@ -31,15 +29,13 @@ class DraftsController < ApplicationController
           end
         end
       end
-
-      help_key += ".self"
     else
-      help_key += ".others"
+      raise Discourse::InvalidAccess
     end
 
     render json: {
       drafts: stream ? serialize_data(stream, DraftSerializer) : [],
-      no_results_help: I18n.t(help_key)
+      no_results_help: I18n.t("user_activity.no_drafts.self")
     }
 
   end

config/locales/server.en.yml

@@ -796,7 +796,6 @@ en:
       others: "No replies."
     no_drafts:
       self: "You have no drafts; begin composing a reply in any topic and it will be auto-saved as a new draft."
-      others: "You do not have permission to see drafts for this user."
 
   topic_flag_types:
     spam:

spec/requests/drafts_controller_spec.rb

@@ -1,4 +1,5 @@
 require 'rails_helper'
+require 'pp'
 
 describe DraftsController do
   it 'requires you to be logged in' do
@@ -28,11 +29,8 @@ describe DraftsController do
   it 'does not let a user see drafts stream of another user' do
     user_b = Fabricate(:user)
     Draft.set(user_b, 'xxx', 0, '{}')
-
     sign_in(Fabricate(:user))
     get "/drafts.json", params: { username: user_b.username }
-    expect(response.status).to eq(200)
+    expect(response.status).to eq(403)
-    parsed = JSON.parse(response.body)
-    expect(parsed["drafts"].length).to eq(0)
   end
 end