From 0770f7713c73921359dab568ecdd136492e5d7fb Mon Sep 17 00:00:00 2001
From: Seamus Lee <seamuslee001@gmail.com>
Date: Tue, 25 Apr 2017 10:39:22 +1000
Subject: [PATCH] CRM-20441 Check to see if user has permission on the
 activities before getting rest of information. If fails silently remove the
 activity from the list of ids

---
 CRM/Activity/BAO/Activity.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/CRM/Activity/BAO/Activity.php b/CRM/Activity/BAO/Activity.php
index df28122fb2..78cf7b1ed6 100644
--- a/CRM/Activity/BAO/Activity.php
+++ b/CRM/Activity/BAO/Activity.php
@@ -679,6 +679,16 @@ class CRM_Activity_BAO_Activity extends CRM_Activity_DAO_Activity {
       $activityIDs = explode(',', $activityIDs);
     }
 
+    // CRM-20441 Check if user has access to the activities
+    foreach ($activityIDs as $key => $activityId) {
+      try {
+        civicrm_api3('Activity', 'get', array('id' => $activityId, 'check_permissions' => 1));
+      }
+      catch (Exception $e) {
+        unset($activityIDs[$key]);
+      }
+    }
+
     // fetch all active activity types
     $activityTypes = CRM_Core_OptionGroup::values('activity_type');
 
-- 
2.25.1