If I secure a folder in share, then upload a document (which triggers a custom activity to say a document has been uploaded) why does it appear in peoples activity feed even though they don't have access to it?
Is there anyway for me to fix this? Can't the activities service check permissions on a node before it adds the feed item into alf_activity_feed?
From what I can gather, the activities service
finds the pending activity in alf_activity_post,
finds all users in the site,
applies my feed template and then
creates a feed item for each site user.
Seems reasonable - but I only want it to create a feed item if the user has access to the node (also seems reasonable!).
Clearly it knows about the node, as I pass it the nodeRef when I create the activity, and it gets further properties for the node in my activities template. But then it creates a feed item for everyone in the site, regardless of whether they have viewPermissions on the node.
Does anyone have any idea of how I could fix this? It's becoming a serious problem - as although people can't view the document (they don't have permission), they can still see the name of the document (as it's in the feed) - which leads to potential security problems…
No fix or workaround that I know of (short of checking the permissions in the activities dashlet, which would be a part-way solution): please raise the issue in JIRA.
