diff --git a/privatemsg.module b/privatemsg.module
index a09ef17..fe039d9 100644
--- a/privatemsg.module
+++ b/privatemsg.module
@@ -2656,12 +2656,20 @@ function privatemsg_privatemsg_recipient_type_info() {
       'load' => 'privatemsg_user_load_multiple',
       'format' => 'privatemsg_username',
       'autocomplete' => 'privatemsg_user_autocomplete',
+      'write callback' => '_privatemsg_recipient_user_write_permission',
       // Make sure this comes always last.
       '#weight' => 50,
     ),
   );
 }
 
+function _privatemsg_recipient_user_write_permission($recipient) {
+  if (is_object($recipient) && isset($recipient->uid)) {
+    return user_access('write privatemsg') && ($recipient->uid == 1 || user_access('read privatemsg', $recipient) || user_access('administer privatemsg settings', $recipient));
+  }
+  else return TRUE;
+}
+
 /**
  * Implements callback_recipient_autocomplete().
  */
@@ -2680,6 +2688,10 @@ function privatemsg_user_autocomplete($fragment, $names, $limit) {
   // Return them in an array with the correct recipient key.
   $suggestions = array();
   foreach ($accounts as $account) {
+    // Only display recipients with permission to read private messages.
+    if (!_privatemsg_recipient_user_write_permission($account)) {
+      continue;
+    }
     $account->type = 'user';
     $account->recipient = $account->uid;
     $suggestions[privatemsg_recipient_key($account)] = $account;
diff --git a/privatemsg.test b/privatemsg.test
index 3b0d47f..5b1e9d6 100644
--- a/privatemsg.test
+++ b/privatemsg.test
@@ -242,6 +242,7 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
     $author     = $this->drupalCreateUser(array('write privatemsg', 'select text format for privatemsg', filter_permission_name(filter_format_load('full_html'))));
     $recipient  = $this->drupalCreateUser(array('read privatemsg'));
     $recipient2  = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
+    $recipient3 = $this->drupalCreateUser(array());
 
     // Login author and go to new message form.
     $this->drupalLogin($author);
@@ -259,6 +260,12 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
       'subject'     => $this->randomName(20),
       'body[value]' => $this->randomName(100),
     );
+    // Recipient with no read privatemsg permission.
+    $editnoreadpermision = array(
+      'recipient'   => $recipient3->name,
+      'subject'     => $this->randomName(20),
+      'body[value]' => $this->randomName(100),
+    );
     // No recipients.
     $editnone = array(
       'recipient'   => '',
@@ -317,6 +324,9 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
     $this->drupalPost('messages/new', $edit2, t('Send message'));
     $this->assertText(t('A message has been sent to @recipients.', array('@recipients' => implode(', ', array($recipient->name, $recipient2->name)))), 'Message sent confirmation displayed.');
 
+    $this->drupalPost('messages/new', $editnoreadpermision, t('Send message'));
+    $this->assertText(t('You must include at least one valid recipient.'), "Message not sent to user without 'read privatemsg' permission.");
+
     $this->drupalPost('messages/new', $editnone, t('Send message'));
     $this->assertText(t('To field is required.'), 'Message was not sent.');
 
@@ -817,6 +827,7 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
     $user1 = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
     $user2 = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
     $user3 = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));
+    $unprivileged_user = $this->drupalCreateUser();
 
     $this->drupalLogin($current);
 
@@ -825,6 +836,7 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
     user_save($user1, array('name' => 'aaaa'));
     user_save($user2, array('name' => 'aaab'));
     user_save($user3, array('name' => 'bbbb'));
+    user_save($unprivileged_user, array('name' => 'dddd'));
 
     $json = $this->drupalGet('messages/autocomplete/aa');
     $autocomplete = (array)json_decode($json);
@@ -846,6 +858,10 @@ class PrivatemsgTestCase extends PrivatemsgBaseTestCase {
     $this->assertEqual(count($autocomplete), 1, t('Autocomplete object contains one suggestion.'));
     $this->assertEqual($autocomplete['aaaa, aaab, '], 'aaab');
 
+    $json = $this->drupalGet('messages/autocomplete/dd');
+    $autocomplete = (array)json_decode($json);
+    $this->assertEqual(count($autocomplete), 0, t("Autocomplete does not show users without 'read privatemsg' permission.""));
+
     // Test XSS protection, create a username and check that the suggestion is
     // safe.
     $user4 = $this->drupalCreateUser(array('read privatemsg', 'write privatemsg'));