clean install of Elgg 1.7 on DELL1950III CentOS 5.4 PHP 5.2.10 (cli) Apache 2.2.3-22 MySQL 5.1.39 using base/remi/epel repos
invisible groups working perfect by create group then edit group and set group access to group name
the river activity displays to public (and all other user levels) the discussion of the invisible group (group icon, group name, discussion title, first few lines of the discussion text) betraying the invisible status of the group and breaking the privacy of the group
no 3rd party plugins installed. the error can be reproduced with out of the box 1.7 curverider plugins only
As a solution to this, I propose that in the case of invisible groups, the default access level is set to Group-only for all content posted on the group, over-riding both site and personal access levels. In order to keep things simple, users should be able to post in invisible groups only with the following access levels: (1) that Group, (2) private, (3) if possible, collections of friends where all friends are part of that invisible group
Group members should be made aware that they have joined an invisible group, perhaps with a pop-up notification upon accepting the invitation.
Apart from the current obvious problem with posting group activity on the river, there is a second one: even if I delete the original activity, it will still be listed on the river for all users to see.
Current 1.7 branch does not display the group name or group icon, but it does display the title of the topic. Interestingly enough, the icon displayed is that of the current logged in user when the user does not have permissions for the group.
The core issue is that Elgg's permission model does not work well with containers. Anything within a container should not have more permissive access than the container itself. The access library does not do anything like this right now. Fixing this is not a 1.7.2 issue so I pushing it back to 1.8.