fix(activitylog): fix unauthorized activity get

Signed-off-by: jkoberg <jkoberg@owncloud.com>

changelog/unreleased/fix-acitivity-leak.md

@@ -0,0 +1,5 @@
+Bugfix: Fix Activities leak
+
+Fix activities endpoint by preventing unauthorized users to get activities
+
+https://github.com/owncloud/ocis/pull/10092

services/activitylog/pkg/service/http.go

@@ -53,6 +53,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
+	gwc, err := s.gws.Next()
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
 	rid, limit, rawActivityAccepted, activityAccepted, sort, err := s.getFilters(r.URL.Query().Get("kql"))
 	if err != nil {
 		s.log.Info().Str("query", r.URL.Query().Get("kql")).Err(err).Msg("error getting filters")
@@ -61,6 +67,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
+	_, err = utils.GetResourceByID(ctx, rid, gwc)
+	if err != nil {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	raw, err := s.Activities(rid)
 	if err != nil {
 		s.log.Error().Err(err).Msg("error getting activities")