AnsweredAssumed Answered

Activity Service Security

Question asked by tgmweb on Nov 17, 2009
Latest reply on Nov 17, 2009 by tgmweb
If I secure a folder in share, then upload a document (which triggers a custom activity to say a document has been uploaded) why does it appear in peoples activity feed even though they don't have access to it?

Is there anyway for me to fix this? Can't the activities service check permissions on a node before it adds the feed item into alf_activity_feed?

From what I can gather, the activities service
  • finds the pending activity in alf_activity_post,
  • finds all users in the site,
  • applies my feed template and then
  • creates a feed item for each site user.
Seems reasonable - but I only want it to create a feed item if the user has access to the node (also seems reasonable!).

Clearly it knows about the node, as I pass it the nodeRef when I create the activity, and it gets further properties for the node in my activities template. But then it creates a feed item for everyone in the site, regardless of whether they have viewPermissions on the node.

Does anyone have any idea of how I could fix this? It's becoming a serious problem - as although people can't view the document (they don't have permission), they can still see the name of the document (as it's in the feed) - which leads to potential security problems…