Today, everyone in the publishers group can see all tasks in Pulse. This is a problem with sensitive content. Only users who have a permission to view the content item should see the task. The task should be considered metadata about the content and carry the same permission restrictions.

Example: A small group of editors creates a sensitive press release /news/ceo-steps-down. It is critical that this information is not released until the page is public. Only the small group of editors have permission to view the page on the author instance. However, when the page is published everybody in the bigger publishers group can see the task in Pulse, including the item path and the node name. The news has leaked.

Summary:

• Task should be considered metadata. It should carry the same permission restrictions as its content.
• Users should only see Pulse tasks for content they have permission to view.
• If I don't have permission to view a content then I should not see the task in Pulse either.