Contacting blocked users

I can reproduce this in 5.1. Logged in as administrator, sending a message to a disabled user. No error message is displayed, and Drupal attempts to send the email. However the following is generated in Postfix's mail.log:

Feb  2 00:03:36 example postfix/pickup[17881]: AC3EB221C0C2: uid=33 from=<www-data>
Feb  2 00:03:36 example postfix/cleanup[26387]: AC3EB221C0C2: message-id=<20070202000336.AC3EB221C0C2@example.com>
Feb  2 00:03:36 example postfix/cleanup[26387]: AC3EB221C0C2: to=<unknown>, relay=none, delay=0, status=bounced (No recipients specified)

I'd therefore assume that Drupal is failing to detect the user's email address when the user is disabled, isn't detecting this, and so is trying to send to a blank email address without logging anything.

I believe the correct behaviour should be:

check if user is disabled
if user is disabled, check if user is administrator
if user is administrator allow form to be sent
otherwise generate an error message.

We need to check whether the user sending is an administrator. We don't want just anybody sending messages through the contact form of a disabled user, but it is vital that the administrators are able to send emails to disabled users.

This issue is caused by line 360 of contact.module which will only load the recipient user object if it is enabled. I propose we change this to something along the lines of:

$account = user_load(array('uid' => arg(1)));
// check if the recipient account is enabled, or the sender is an administrator
if ($account->Status == 1 || user_access('administer site configuration')) {

  // stuff to send message

} else {
  drupal_access_denied();
}

I've just looked at Drupal 4.7.4, and this issue also exists there, so it's been around for a while. My proposed solution should work in 4.7.4 as well as it does in 5.x, so I'd like to see it backported too.

Right, I should probably get on with testing this and developing a patch.

I'd base it on "administer users" permission rather than "administer site configuration" permission, since that's what the contact form is based on.

This also needs to be in patch form. See http://drupal.org/patch.

OK, I've created a patch based upon my previous comment and webchick's suggestion. I've also added a check when the form is being rendered.

I suppose we should return an error message somehow rather than simply giving a drupal_access_denied? How best to implement that?

I would prefer a Message like:

"This User is blocked. You are not able to Contact him this way. Please excuse this matter."

Or something that tells the user what is going on now.
With this error message, he will maybe think its a site error...

I would prefer a Message like:

"This User is blocked. You are not able to Contact him this way. Please excuse this matter."

Or something that tells the user what is going on now.
With the old error message, he will maybe think its a site error...

You can contact blocked users if you have the 'administer users' permission. Also no followup in two years, so closing the issue.