diff --git a/privatemsg.module b/privatemsg.module
index 5697650..c646a6c 100755
--- a/privatemsg.module
+++ b/privatemsg.module
@@ -288,8 +288,8 @@ function privatemsg_menu() {
'page callback' => 'privatemsg_list_page',
'page arguments' => array('list', 1),
'file' => 'privatemsg.pages.inc',
- 'access callback' => 'privatemsg_user_access',
- 'access arguments' => array('read all private messages'),
+ 'access callback' => 'privatemsg_ownuser_access',
+ 'access arguments' => array(1),
'type' => MENU_LOCAL_TASK,
);
return $items;
@@ -351,6 +351,29 @@ function privatemsg_user_access($permission = 'read privatemsg', $account = NULL
}
/**
+ * Checks access for the messages tab on the user profile.
+ *
+ * Privatemsg wrapper for user_access and the user/%/messages menu options,
+ * allows access to the own profile, otherwise calls to privatemsg_user_access.
+ *
+ * @param $uid
+ * ID of the user which profile is being showed.
+ *
+ * @return
+ * TRUE if user has access, FALSE if not.
+ */
+function privatemsg_ownuser_access ($uid = NULL) {
+ global $user ;
+
+ if ($user->uid && $uid == $user->uid){
+ return TRUE ;
+ } else {
+ return privatemsg_user_access('read all private messages') ;
+ }
+}
+
+
+/**
* Check access to the view messages page.
*
* Function to restrict the access of the view messages page to just the
diff --git a/privatemsg.pages.inc b/privatemsg.pages.inc
index e4de101..c941229 100644
--- a/privatemsg.pages.inc
+++ b/privatemsg.pages.inc
@@ -150,6 +150,11 @@ function privatemsg_list_page($argument = 'list', $uid = NULL) {
// Has rights and user_load return an array so user does exist
$account = $account_check;
}
+ // Redirects to 'messages' if it's the own profile.
+ else if ((int)$uid > 0 && $uid == $user->uid) {
+ drupal_goto('messages');
+ return;
+ }
return drupal_get_form('privatemsg_list', $argument, $account);
}
diff --git a/privatemsg.test b/privatemsg.test
index 49324dd..d928788 100644
--- a/privatemsg.test
+++ b/privatemsg.test
@@ -91,10 +91,30 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
$this->drupalGet('messages');
$this->assertResponse(403, t('HTTP Response 403: Access to mailbox was blocked to user without "read privatemsg" permission'));
+ //$user_no_read_msg accesses $no_recipient's mailbox
+ $this->drupalLogin($user_no_read_msg);
+ $this->drupalGet('user/5/messages');
+ $this->assertResponse(403, t('HTTP Response 403: Access to mailbox of other user was blocked'));
+
+ //$user_no_read_msg accesses his own mailbox
+ $this->drupalLogin($user_no_read_msg);
+ $this->drupalGet('user/2/messages');
+ $this->assertResponse(403, t('HTTP Response 403: Access to mailbox was blocked to user without "read privatemsg" permission'));
+
$this->drupalLogin($no_recipient);
$this->drupalGet('messages');
$this->assertResponse(200, t('HTTP Response 200: Access to mailbox was authorized to user with "read privatemsg" permission'));
+ //$no_recipient accesses his own mailbox
+ $this->drupalLogin($no_recipient);
+ $this->drupalGet('user/5/messages');
+ $this->assertResponse(200, t('HTTP Response 200: Access to mailbox was authorized to user with "read privatemsg" permission'));
+
+ //$no_recipient accesses $user_no_read_msg's mailbox
+ $this->drupalLogin($no_recipient);
+ $this->drupalGet('user/2/messages');
+ $this->assertResponse(403, t('HTTP Response 403: Access to mailbox of other user was blocked'));
+
$this->drupalGet('messages/view/' . $response['message']->thread_id);
$this->assertResponse(403, t('HTTP Response 403: Access to thread is blocked for non-recipients.'));
@@ -236,12 +256,15 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
/**
* Test sending message from the /messages/new page between two people
+ * Make sure a non-recipient cannot read the message.
*/
function testWriteReplyPrivatemsg() {
- // Create an author and two recipients.
+ // Create an author, two recipients, a non-recipient, and a non-active
+ // (blocked) user.
$author = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg', 'select text format for privatemsg', filter_permission_name(filter_format_load('full_html'))));
$recipient = $this->drupalCreateUser(array('read privatemsg'));
$recipient2 = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
+ $nonrecipient = $this->drupalCreateUser(array('read privatemsg'));
// Set up a user with "read/write privatemsg" permissions.
$blocked_recipient = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
// Block this recipient to test users who cancelled their accounts.
@@ -450,6 +473,14 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
// Confirm that the reply form is not shown.
$this->assertNoText(t('Reply'), 'Reply form is not displayed.');
$this->assertText(t('You can not reply to this conversation because all recipients are blocked.'));
+
+ // Login using nonrecipient and try to read the message by going to inbox first.
+ $this->drupalLogin($nonrecipient);
+ $this->drupalGet('user/5/messages');
+ $this->assertResponse(200, t('HTTP Response 200: Access to mailbox was authorized to user with "read privatemsg" permission'));
+
+ // Assert that we cannot see any messages.
+ $this->assertText(t('No messages available.'), t('No messages available.'));
}
/**