Activity Stream displaying log work when the visibility is restricted

Summary

The Activity Stream is displaying work logs for all users that have been restricted. This is allowing any user to see possibly sensitive information in those work logs that should not be seen otherwise.

Raised as a critical due to this. This was previously raised in STRM-2130 which indicates it's fixed in JIRA 6.0, however it's still present in 6.4.11.

Steps to Reproduce

1. Create a new group.
2. Create a new user.
3. Assign that user to the group.
4. Create a new project.
5. Edit the project permissions to add the 'Work On Issues' permission to the group from step 1.
6. Create an issue with the admin user.
7. Login as the user from step 2.
8. Log work on the issue created (this was tested with group vs project role, this can be enabled in Configuring JIRA Options).
9. Access that issue with a user that does not have access to those worklogs. They won't be able to see them in the issue.
10. Access the project activity stream.

Expected Results

The work log messages are not displayed in the Activity Stream as they are not displayed in the View Issue screen.

Actual Results

Restricted work logs are viewable in the Activity Stream. These are not visible on the dashboard however are on project activity streams.

Notes

No known workaround at this time.