Drupal Association members fund grants that make connections all over the world.
Only a subsection of the users on our site have the permission to 'Read private messages'. Therefore, when writing a message, I think there should be an access check performed to ensure that all users that are recipients of a message can actually read the message, and that any recipients that don't have that permission are rejected. (Same goes for the autocomplete field too).
Having looked through the module code, it looks like the function
privatemsg_recipient_access() should be responsible for this kind of check. However, since the recipient type array for 'user' defines neither a 'view callback' nor a 'view access' permission, this function will always return
TRUE no matter what user is being checked. Is this the intention?
By simply adding a 'view callback' key to the user recipient type array, we could perform a 'read private messages' permission check on the recipient user quite trivially. I'm happy to supply a patch for this if this sounds right.
FAILED: [[SimpleTest]]: [MySQL] 4,936 pass(es), 2 fail(s), and 1 exception(s). View
FAILED: [[SimpleTest]]: [MySQL] 4,929 pass(es), 8 fail(s), and 5 exception(s). View
FAILED: [[SimpleTest]]: [MySQL] 4,081 pass(es), 503 fail(s), and 584 exception(s). View
FAILED: [[SimpleTest]]: [MySQL] 4,946 pass(es), 1 fail(s), and 0 exception(s). View
FAILED: [[SimpleTest]]: [MySQL] 4,921 pass(es), 1 fail(s), and 0 exception(s). View