Attendance History does not honor Group Security

[azturner]

Prerequisites

• [x] Put an X between the brackets on this line if you have done all of the following:
  • Did you perform a search at https://github.com/issues?q=is%3Aissue+user%3ASparkDevNetwork+-repo%3ARock to see if your bug or enhancement is already reported?
  • Can you reproduce the problem on a fresh install or the demo site?
  • Did you include your Rock version number and client culture setting?

Description

Similar to this issue, when viewing attendance history for a person, if they have attended a group that the current user is not authorized to view, they can still see attendance to that group. This is a sensitive issue for people who may be attending a recovery type group.

Steps to Reproduce

1. Go to demo site.
2. Navigate to Alisha Marble's Group in the group viewer
3. Configure this group so that Rock Administrators are the only role that can view the group
4. Add attendance for this group and mark Jenny Michaels as attending any date
5. Login as Ted Decker (may need to create a login for him)
6. As Ted Decker, view the history tab on Jenny Michael's profile

Expected behavior:

Because Ted Decker is not in the Rock Administration role, he should not see Jenny's attendance to the Alisha Marble group.

Actual behavior:

Jenny's attendance is visible to Ted Decker

Versions

• Rock Version: v13.6, v14.0
• Client Culture Setting: en-US