Privatemsg version 2 dev, on drupal 5.5 test system, logged on as user/1: when I look at my sent messages, open a message to another user and then select the tab 'back to list' I end up in that other users inbox instead of my own sent messages.
It seems user/1 can look at arbitrary user mailboxes by using /privatemsg/ etc
This does not happen for normal end users it seems.

Comments

jvlagsma’s picture

jvlagsma commented

link needs to be /privatemsg/uid where uid is the numeric userid

jvlagsma’s picture

jvlagsma commented

From this bit of code it appears to me, not being very proficient in php and drupal code, it is intentional that authorised users see other users private messages, am I missing something? Surely this violates users privacy..

function privatemsg_list($uid = NULL) {
  if (!empty($uid) && is_numeric($uid) && user_access('administer private messages')) {
    $account = user_load(array('uid' => $uid));
  }
  else {
    $account = $GLOBALS['user'];
  }
jvlagsma’s picture

jvlagsma commented

I've added this bit of code, seems to do the trick. There may be better ways but I'm not an experienced php programmer.

// $Id: privatemsg.module,v 1.70.2.30.2.88 2008/01/22 06:49:22 karthik Exp $

Line 699:

  if ($user->uid !== $account->uid) { return drupal_access_denied(); }

Can someone please review this and commit this to the module permanently.
Thanks,
Johan

naheemsays’s picture

naheemsays commented

I would suspect that the current behaviour is a "feature".

Those with the permission can see all messages, those without can't. (Just like the "Administer Nodes" permission allows you to see ALL nodes, even if there are access control modules installed.)

I have not changed the status as that is probably for the maintainer to do, but I suspect this is "By Design".

jvlagsma’s picture

jvlagsma commented

The whole point of a module like privatemsg is to keep messages private, if these messages were meant for a wider audience they would be put in the forum's with the appropriate access control. I agree user/1 is just one person but where does it end. If users notice privatemsgs aren't private anymore they will lose trust and start using other more trustworthy, more private ways (e.g. email) thus losing them from the context of the site.
Privatemsg is a greatly appreciated asset in my site, has been for the past 3 years or so and I'd hate to lose it. Just upgraded to version 5.x-2.x-dev with my above "fix", users love the new looks and functions!

naheemsays’s picture

naheemsays commented

It does not end at user/1 - anyone who has "administer private messages" permission can see all messages. It DOES keep messages private. From "the public".

On any site, the members have to "by default" trust the administrators. There is always a way to check the messages. (look at the database tables for one method, change the users password, log in into that account for another method.)

I would not post anything to a site where I did not trust the admin (team?) to do the right thing. In the same way, I would not give an untrusted user

Remember, the admins do have to go slightly go out of their way to see another's messages. the default link only takes them them to their own.

This "feature" does not affect end users. If the question is "can admins see my private messages", the answer is "yes". It was before this, and it will remain after this. Just a little more accessible.

As a "use" for this feature - another user complaining about spam, or worse bullying or harrassment via PM. instead of checking through the database tables comparing user id's, or logging in as that user, just click the links to that message. makes administering Private messages easier.

jvlagsma’s picture

jvlagsma commented
Assigned: Unassigned » jvlagsma
Status: Active » Closed (fixed)

Thanks for this extra bit of info on "administer private messages" permission, I hadn't realised that. Obviously I haven't set this permission so my only change was for user/1.
We seem to disagree on the level of privacy these messages need, that's ok. I agree admin could peek at them going into the database but that's what I'd call "going out of their way". Stumbling on it like I did is too easy for me, I didn't expect it and it doesn't work like this before in version 1.
Different admins work in different ways. As an admin I would never ever interfere with 2 users bullying each other via private messages. Users are responsible for their own behaviour and will have to sort out their personal problems themselves.
I'll keep my small change as a local modification on privatemsg.
Thanks for your views on the matter, I appreciate it. Learning all the time ;-)

naheemsays’s picture

naheemsays commented

No probs. It is a difficult issue where both points of view are right and wrong. :)

I go out of my way to avoid seeing things that I shouldn't, but there have been situations on a different software (phpBB) where I had to ban all PM activity from one user after complaints by multiple people (some of them kids). Looking through that persons messages would have been easier than trying to piece things together via the Database (and seeing a lot more unrelated posts.)

As for making it harder to get to, that may be a good idea.

Anonymous’s picture

Anonymous (not verified) commented

the admin can ALWAYS read the mails by peeking into the DB.
so there is no real point in this discussion.