SECURITY: Remove indication that a group exists if user can't see it.

Minor security fix but we should not leak any hints that a group exists
even if a user does not have access to the group.

app/controllers/groups_controller.rb

@@ -629,7 +629,7 @@ class GroupsController < ApplicationController
   def find_group(param_name, ensure_can_see: true)
     name = params.require(param_name)
     group = Group.find_by("LOWER(name) = ?", name.downcase)
-    guardian.ensure_can_see!(group) if ensure_can_see
+    raise Discourse::NotFound if ensure_can_see && !guardian.can_see_group?(group)
     group
   end
 

spec/requests/groups_controller_spec.rb

@@ -357,7 +357,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "returns the right response" do
@@ -430,7 +430,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/posts.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "ensures the group members can be seen" do
@@ -473,7 +473,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/members.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     it "ensures the group members can be seen" do
@@ -1888,7 +1888,7 @@ describe GroupsController do
 
       get "/groups/#{group.name}/permissions.json"
 
-      expect(response.status).to eq(403)
+      expect(response.status).to eq(404)
     end
 
     describe "with varying category permissions" do