There are two different user roles, drupal admin and contributor.
The "Read all private messages" permission is assigned only to the admin.
I have experienced a situation where a (contributor) user has visited a url with a message id (mid) that wasn't existed and all the inbox messages were listed under the "Read message" tab/page. When I am visiting the same message, as admin, I am getting a "page not found" message, which is the expected behaviour. "Read all private messages" permission is checked for admins but I can't allow this for other roles even if it solves the problem.
Open an existing message from the inbox like: : my-site/messages/view/46623
The message can be viewed and/or deleted as expected.
Now change the message id (mid) to something bigger or to an mid that does not exist, like: my-site/messages/view/4662789
Instead of a "page not found" message all inbox messages are listed under the "Read message" tab!
I have found that the privatemsg_thread_load function does not check if the message id (mid) exists in the database, it only checks if the mid is greater than zero ($thread_id > 0).
That way this function evaluates to TRUE for any integer greater than zero and not only that but it also evaluates to TRUE even if characters are included in the url due to this code: $thread_id = (int)$thread_id;
I think that the $thread_id from the url should be matched with the mids stored in the database and if does exist then to proceed with the message's further process otherwise throw a "page not found".
Web server: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.5.15
Database system : MySQL 5.6.20
Drupal: 7.37
Closed: outdated
1.4
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.