Only a subsection of the users on our site have the permission to 'Read private messages'. Therefore, when writing a message, I think there should be an access check performed to ensure that all users that are recipients of a message can actually read the message, and that any recipients that don't have that permission are rejected. (Same goes for the autocomplete field too).
Having looked through the module code, it looks like the function privatemsg_recipient_access() should be responsible for this kind of check. However, since the recipient type array for 'user' defines neither a 'view callback' nor a 'view access' permission, this function will always return TRUE no matter what user is being checked. Is this the intention?
By simply adding a 'view callback' key to the user recipient type array, we could perform a 'read private messages' permission check on the recipient user quite trivially. I'm happy to supply a patch for this if this sounds right.
Closed: outdated
2.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.