Merge pull request #397 from jdalsem/#4879-unwanted-access-to-messages-pages

Fixes #4879: unwanted access to messages pages

3 files changed, 16 insertions, 6 deletions

diff --git a/mod/messages/pages/messages/inbox.php b/mod/messages/pages/messages/inbox.php
index fdfc20c43..de5b8b231 100644
--- a/mod/messages/pages/messages/inbox.php
+++ b/mod/messages/pages/messages/inbox.php
@@ -8,8 +8,13 @@
 gatekeeper();
 
 $page_owner = elgg_get_page_owner_entity();
-if (!$page_owner) {
-	register_error(elgg_echo());
+
+if (!$page_owner || !$page_owner->canEdit()) {
+	$guid = 0;
+	if($page_owner){
+		$guid = $page_owner->getGUID();
+	}
+	register_error(elgg_echo("pageownerunavailable", array($guid)));
 	forward();
 }
 
diff --git a/mod/messages/pages/messages/read.php b/mod/messages/pages/messages/read.php
index fd3b466a1..eb36eaa4b 100644
--- a/mod/messages/pages/messages/read.php
+++ b/mod/messages/pages/messages/read.php
@@ -8,8 +8,8 @@
 gatekeeper();
 
 $message = get_entity(get_input('guid'));
-if (!$message) {
-	forward('messages/inbox');
+if (!$message || !elgg_instanceof($message, "object", "messages")) {
+	forward('messages/inbox/' . elgg_get_logged_in_user_entity()->username);
 }
 
 // mark the message as read
diff --git a/mod/messages/pages/messages/sent.php b/mod/messages/pages/messages/sent.php
index af06ab273..3d08cd5ee 100644
--- a/mod/messages/pages/messages/sent.php
+++ b/mod/messages/pages/messages/sent.php
@@ -8,8 +8,13 @@
 gatekeeper();
 
 $page_owner = elgg_get_page_owner_entity();
-if (!$page_owner) {
-	register_error(elgg_echo());
+
+if (!$page_owner || !$page_owner->canEdit()) {
+	$guid = 0;
+	if($page_owner){
+		$guid = $page_owner->getGUID();
+	}
+	register_error(elgg_echo("pageownerunavailable", array($guid)));
 	forward();
 }