Enforce restrictions on issue visibility properly

app/controllers/issues_controller.rb

@@ -80,6 +80,8 @@ class IssuesController < ApplicationController
   private
 
   def find_issue
-    @issue = Issue.find(params[:id])
+    @issue = Issue.visible_to(current_user).find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    head :not_found
   end
 end