diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb
index ae1ecff512d..887796e4262 100644
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@@ -500,9 +500,10 @@ class TopicsController < ApplicationController
   def remove_allowed_user
     params.require(:username)
     topic = Topic.find_by(id: params[:topic_id])
-    user = User.find_by(username: params[:username])
-
     raise Discourse::NotFound unless topic
+    user = User.find_by(username: params[:username])
+    raise Discourse::NotFound unless user
+
     guardian.ensure_can_remove_allowed_users!(topic, user)
 
     if topic.remove_allowed_user(current_user, user)