Give the gift of Drupal. All merchandise is 50% off through 2016.
Currently running entity_access() on a message entity (eg, as in #1918666]) will call message_access(), which simply returns the value of
user_access('create messages', $account);
In some cases, a module or modules may want to introduce a more complex set of access checking criteria. Currently, this can only be accomplished by implementing hook_entity_info_alter() and changing the 'access callback' value. One drawback of that approach is that only a single module or callback can be used within one installation of Drupal.
In Commons, we want the Commons Activity streams module to be enforce access criteria on all messages that it defines, and prevent users from seeing or receiving messages that reference nodes that the viewer/recipient cannot access.