diff --git a/app/views/events/_event.html.haml b/app/views/events/_event.html.haml
index 5623f0f590a..78a1d1a0553 100644
--- a/app/views/events/_event.html.haml
+++ b/app/views/events/_event.html.haml
@@ -11,5 +11,5 @@
= render "events/event/note", event: event
- else
= render "events/event/common", event: event
-- elsif @user.include_private_contributions?
+- elsif @user&.include_private_contributions?
= render "events/event/private", event: event
diff --git a/spec/features/projects/activity/user_sees_private_activity_spec.rb b/spec/features/projects/activity/user_sees_private_activity_spec.rb
new file mode 100644
index 00000000000..d7dc0a6712a
--- /dev/null
+++ b/spec/features/projects/activity/user_sees_private_activity_spec.rb
@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe 'Project > Activity > User sees private activity', :js do
+ let(:project) { create(:project, :public) }
+ let(:author) { create(:user) }
+ let(:user) { create(:user) }
+ let(:issue) { create(:issue, :confidential, project: project, author: author) }
+ let(:message) { "#{author.name} opened issue #{issue.to_reference}" }
+
+ before do
+ project.add_developer(author)
+
+ create(:event, :created, project: project, target: issue, author: author)
+ end
+
+ it 'shows the activity to a logged-in user with permissions' do
+ sign_in(author)
+ visit activity_project_path(project)
+
+ expect(page).to have_content(message)
+ end
+
+ it 'hides the activity from a logged-in user without permissions' do
+ sign_in(user)
+ visit activity_project_path(project)
+
+ expect(page).not_to have_content(message)
+ end
+
+ it 'hides the activity from an anonymous user' do
+ visit activity_project_path(project)
+
+ expect(page).not_to have_content(message)
+ end
+end