The activity api is doing a per-row permission check. We should refactor to be a tonne cleverer following on from
I think the first step is to remove VIEW calls to here:
Then only the api will be using that for view-based checking & we can clean up the way it checks related tables, possibly separating view from edit.
We should also look at the retrieve function on the activity BAO with a view to removal & using the api for similar reasons