Jomsocial privacy setup:
Profile Privacy: Members
Friends privacy: Self
Photos Privacy: Friends
Video Privacy: Friends
Group List: Members

Step 1: Create 3 users (user 1, user2 and user3)
Step 2: Login as User 1 and request a connection with user2
Step 3: Create a new album and upload some pictures.
Step 4: Logout
Step 5: Login as User3 and request a connection with user2
Step 6: Logout
Step 7: Login as User2 and accept both connection requests
Step 8: On the activity wall, User2 can see the User1 "Shared photos" activity. Click on the link to go view the album
Step 9: On the Album, make the following comment: User2 has made an album comment
Step 10: Logout
Step 11: Login as user 3 and view the activity stream
There will be an activity listed as per the attached picture. This will show user2 activity (User2 has made an album comment) PLUS the album details (picture, name and description of the Album.

The issue is not that user3 can view user2 comments, but rather that the Album (or photo) details are attached to the comment.
This way user 3 gets to see content that the owner (user1) did not give them access to view.

Hi Marc,

I see, this is different logical I think.. I already re-opened this issue.

thank you

Is there any update on this?

Hi Marc,

I am sorry, not yet.. we have plan to fix all bugs every friday so tomorrow our dev will fix this issue.

This week we are busy develop the version 3.3.

thank you

Still no updates?
Guys, this is a serious bug!!!

Hi Marc,

this is for fixing this, please you open this file components/com_community/templates/default/activities.photos.comment.php, add this code :

if($photo->permissions == 30 && !CFriendsHelper::isConnected($my->id,$photo->creator)){
	return false;
}

$photo_size = $photo_info['size'];

Thank you.
I have implemented the suggested changes and will report back as soon as I am finished testing.
However, we also need the same privacy modifier for album comments and likes

Latest fix seems to work fine for photo comments so thank you for that important fix.
However, we still don't have the equivalent for for Album comments or photo/Album likes

What do you mean with this one "we still don't have the equivalent for for Album comments or photo/Album likes" ?

The privacy issue applies wherever someone does an action that can be seen by friends, site members or public.
That means that anywhere that privacy can be set independent of the broader site settings becomes a problem.
For me specifically, this means that ANY settings applied to picture (and video) content needs to use the highest privacy setting.

So, then someone comments on a picture, that picture should only display in the activity stream to my friends who also have view rights to THAT picture. This is what you guys have fixed. Awesome!

But what happens when someone comments on an entire album?
In this case the stream is updated with the comment notification plus a copy of the Album cover and description. For privacy protection, this also should have the same rules as the picture comments , especially if the Album cover is defaulted to the first picture of the album.

For likes, the same applies. If someone likes a picture or album, that like should only display the picture that was liked in the stream to members who ALSO have the right to view that picture or album.

The code provided so far is inserted into file components/com_community/templates/default/activities.photos.comment.php
We need similar code to include in:

Album Comments: components/com_community/templates/default/activities.albums.php
Album Likes: file components/com_community/templates/default/activities.likes.php
Photo likes: components/com_community/templates/default/activities.album.likes.php
Video Comments: components/com_community/templates/default/activities.video.comment.php

I see, I will report this to our dev

Just an info.. that code already applied on all files which you mentioned in our newest code/repository