Fatal error on contact summary for ACL'd user (from activity tab count)

When an ACL'd user tries to view the contact summary for a permitted contact who has activities, a fatal error occurs. Backtrace shows that the error occurs when generating the count for the Activities tab.

Steps to replicate (in Drupal)

1. Create role with just "access CiviCRM" permission.
2. Create a user X with only the above role.
3. Create Civi ACL group "ACL Test" and add contact X.
4. Create Civi group "Visible contacts" and add a subset of contacts.
5. Create Civi ACL role "ACL Test" and assign to group "ACL Test".
6. Create ACL permitting "ACL Test" to view group "Visible contacts".
7. Logged in as user X, do an unconstrained activity search.
8. Click on the target contact for any of the retrieved activities.

Expected Result

See contact summary for target contact.

Actual result

A fatal error was triggered: One of parameters (value: ) is not of the type Integer.

Also tested on stock 4.7.18, problem did not occur there.

Backtrace

#0 .../dmaster/sites/all/modules/civicrm/CRM/Core/Error.php(336): CRM_Core_Error::backtrace("backTrace", TRUE)
#1 .../dmaster/sites/all/modules/civicrm/CRM/Utils/Type.php(476): CRM_Core_Error::fatal("One of parameters (value: ) is not of the type Integer")
#2 .../dmaster/sites/all/modules/civicrm/CRM/Core/DAO.php(1377): CRM_Utils_Type::validate((Array:1), "Integer")
#3 .../dmaster/sites/all/modules/civicrm/CRM/Core/DAO.php(1341): CRM_Core_DAO::composeQuery("SELECT id FROM civicrm_case_activity WHERE activity_id = %1", (Array:1), TRUE)
#4 .../dmaster/sites/all/modules/civicrm/CRM/Case/BAO/Case.php(2826): CRM_Core_DAO::singleValueQuery("SELECT id FROM civicrm_case_activity WHERE activity_id = %1", (Array:1))
#5 .../dmaster/sites/all/modules/civicrm/CRM/Activity/BAO/Activity.php(2121): CRM_Case_BAO_Case::isCaseActivity((Array:1))
#6 .../dmaster/sites/all/modules/civicrm/api/v3/Activity.php(310): CRM_Activity_BAO_Activity::checkPermission((Array:1), 4)
#7 .../dmaster/sites/all/modules/civicrm/Civi/API/Provider/MagicFunctionProvider.php(89): civicrm_api3_activity_get((Array:9))
#8 .../dmaster/sites/all/modules/civicrm/Civi/API/Kernel.php(169): Civi\API\Provider\MagicFunctionProvider->invoke((Array:9))
#9 .../dmaster/sites/all/modules/civicrm/Civi/API/Kernel.php(100): Civi\API\Kernel->runRequest((Array:7))
#10 .../dmaster/sites/all/modules/civicrm/api/api.php(43): Civi\API\Kernel->runSafe("Activity", "Get", (Array:9))
#11 .../dmaster/sites/all/modules/civicrm/CRM/Activity/BAO/Activity.php(776): civicrm_api3("Activity", "Get", (Array:8))
#12 .../dmaster/sites/all/modules/civicrm/CRM/Contact/BAO/Contact.php(2619): CRM_Activity_BAO_Activity::getActivities((Array:4), TRUE)
#13 .../dmaster/sites/all/modules/civicrm/CRM/Contact/Page/View/Summary.php(358): CRM_Contact_BAO_Contact::getCountComponent("activity", "101")
#14 .../dmaster/sites/all/modules/civicrm/CRM/Contact/Page/View/Summary.php(93): CRM_Contact_Page_View_Summary->view()
#15 .../dmaster/sites/all/modules/civicrm/CRM/Core/Invoke.php(310): CRM_Contact_Page_View_Summary->run((Array:3), NULL)
#16 .../dmaster/sites/all/modules/civicrm/CRM/Core/Invoke.php(84): CRM_Core_Invoke::runItem((Array:14))
#17 .../dmaster/sites/all/modules/civicrm/CRM/Core/Invoke.php(52): CRM_Core_Invoke::_invoke((Array:3))
#18 .../dmaster/sites/all/modules/civicrm/drupal/civicrm.module(448): CRM_Core_Invoke::invoke((Array:3))
#19 [internal function](): civicrm_invoke("contact", "view")
#20 .../dmaster/includes/menu.inc(527): call_user_func_array("civicrm_invoke", (Array:2))
#21 .../dmaster/index.php(21): menu_execute_active_handler()
#22 {main}vicrm/CRM/Core/Error.php(336): CRM_Core_Error::backtrace("backTrace", TRUE)

Discussed on Mattermost. Diagnosis there from Monish...

---8<---

the issue occurred as Activity.get throws error, when in API $params you have multiple activity IDs with check_permission = TRUE parameters. Lemme explain how this is related to your issue cited in the backtrace:

1. Due to recent improvements made under CRM-20207 where the underlying Activity BAO function getActivities() used to fetch activities, is using Activity.get API instead of SQL here https://github.com/civicrm/civicrm-core/blob/master/CRM/Activity/BAO/Activity.php#L776.
2. So when the API use multiple Activity IDs with check_permissions = TRUE here https://github.com/civicrm/civicrm-core/blob/master/CRM/Activity/BAO/Activity.php#L687 . It eventually got tripped at https://github.com/civicrm/civicrm-core/blob/master/api/v3/Activity.php#L310. The issue which ya encountered
3. As CRM_Activity_BAO_Activity::checkPermission($params['id'], CRM_Core_Action::VIEW)) expect $params['id'] to be integer value Activity ID not array of activity IDs with advance filter which is in our case Array('IN' => array(..Activity IDs.))

In my opinion we need to handle CRM_Activity_BAO_Activity::checkPermission(...) for multiple activity IDs , @coleman whats your thought ?

---8<---