Fix oversight allowing cross-group Activity viewing

Cause:
  - :require_membership uses @group to check whether user can view,
  - @group is set by :set_group, from :group_id parameter, _without_
      checking whether (for the methods dealing with an Activity) that
      Group is the Activity's Group
  - if a user is a member of at least one Group (default situation),
      then the User could freely view other activities by guessing at
      the id, but leaving the :group_id set to the User's Group.

app/controllers/activities_controller.rb

@@ -1,8 +1,8 @@
 class ActivitiesController < ApplicationController
   include GroupsHelper
   include ActivitiesHelper
-  before_action :set_activity, only: [:show, :edit, :update, :destroy, :presence]
-  before_action :set_group
+  before_action :set_activity_and_group, only: [:show, :edit, :update, :destroy, :presence]
+  before_action :set_group,            except: [:show, :edit, :update, :destroy, :presence]
   before_action :require_membership!
   before_action :require_leader!, only: [:mass_new, :mass_create, :new, :create, :destroy]
   before_action :require_organizer!, only: [:edit, :update, :change_organizer]
@@ -160,9 +160,10 @@ class ActivitiesController < ApplicationController
   end
 
   private
-    # Use callbacks to share common setup or constraints between actions.
-    def set_activity
+    # The Activity's group takes precedence over whatever's in the URL, set_group not required (and can be mislead)
+    def set_activity_and_group
       @activity = Activity.find(params[:id])
+      @group = @activity.group
     end
 
     def set_group