Affects Version/s: 6.1.1 CE GA2, 6.1.10 EE GA1, 6.2.0 CE M2
Fix Version/s: None
Environment:Tomcat 7.0 + MySQL 5. 6.1.x GIT ID: 6d6b8814da7c7295ed4cab8420e070793361f856.
Tomcat 7.0 + MySQL 5. 6.2.x GIT ID: 71ce8e940ae12bae24e2a5e14cf3f836bb291915.
This problem occurs when the user has permission to view the content related to the activity but he does not have permission to access the "container" of that content. For example if the user has permission to view a wiki page, he will see activities related to it even if he doesn't have permission to view the node. The solution is for the permission system to check the view permission of the "container" dinamically.
How to reproduce :
1. Create 2 (regular) roles : "Big" and "Little"
2. Create one user ("BigUser") with "Big" role and another ("LittleUser") with "Little" role
3. Create a regular Organization named "Org" and add "BigUser" and "LittleUser" as members
4. Create a "Wiki" page in "Org" with "view" permission only for "Big" role
5. Create an "Activities" page in "Org" with "view" permission for "Organization Members" role
6. Add a "wiki" portlet to "Wiki" page and an "Members' Activities" portlet on "Activities"
7. Add a wiki page with default permissions ("Viewable by Organization Members")
===> A new line appears on "Activities"
8. Connect with "LittleUser" and go to "Activities"
===> In the activity page you could see the activity(It's because the permissions checked are the node and page permissions - and LittleUser has permission to view them.)
9. Click on the link to the new wiki page
===> An error appears : you can't access the wiki page (this is because little doesn't have permission to enter in activities page)
10. Connect back with your admin user
11. Change permissions to "Wiki" page so that "Little" role can view it
12. Change Organization's Wiki "Main" node permissions so that only "Big" role can view it
13. Connect with "LittleUser" and go to "Activities"
14. Click on the link to the new wiki page
===> An error appears : you can't access the wiki node
Note that I made this example for a wiki but it's also reproducible with other contents too (Calendar events, for example). I tried on an organization, but a Community can have the problem too.
The problem is here with users' private pages, too.