diff --git a/administrator/components/com_messages/models/message.php b/administrator/components/com_messages/models/message.php index e0fad991fac07..823a4043d1858 100644 --- a/administrator/components/com_messages/models/message.php +++ b/administrator/components/com_messages/models/message.php @@ -322,6 +322,17 @@ public function save($data) return false; } + // Load the user details (already valid from table check). + $toUser = \JUser::getInstance($table->user_id_to); + + // Check if recipient can access com_messages. + if (!$toUser->authorise('core.login.admin') || !$toUser->authorise('core.manage', 'com_messages')) + { + $this->setError(\JText::_('COM_MESSAGES_ERROR_RECIPIENT_NOT_AUTHORISED')); + + return false; + } + // Load the recipient user configuration. $model = JModelLegacy::getInstance('Config', 'MessagesModel', array('ignore_request' => true)); $model->setState('user.id', $table->user_id_to); @@ -351,9 +362,7 @@ public function save($data) if ($config->get('mail_on_new', true)) { - // Load the user details (already valid from table check). $fromUser = JUser::getInstance($table->user_id_from); - $toUser = JUser::getInstance($table->user_id_to); $debug = JFactory::getConfig()->get('debug_lang'); $default_language = JComponentHelper::getParams('com_languages')->get('administrator'); $lang = JLanguage::getInstance($toUser->getParam('admin_language', $default_language), $debug); diff --git a/administrator/language/en-GB/en-GB.com_messages.ini b/administrator/language/en-GB/en-GB.com_messages.ini index 790445f5c5af7..954c6c7f9c7a8 100644 --- a/administrator/language/en-GB/en-GB.com_messages.ini +++ b/administrator/language/en-GB/en-GB.com_messages.ini @@ -18,6 +18,7 @@ COM_MESSAGES_ERROR_INVALID_TO_USER="Invalid recipient" COM_MESSAGES_ERROR_MISSING_ROOT_ASSET_GROUPS="Missing root asset groups to send notification." COM_MESSAGES_ERROR_NO_GROUPS_SET_AS_SUPER_USER="There are no groups set with super user permissions." COM_MESSAGES_ERROR_NO_USERS_SET_AS_SUPER_USER="There are no users set with super user permissions." +COM_MESSAGES_ERROR_RECIPIENT_NOT_AUTHORISED="Recipient is not authorised to receive messages." COM_MESSAGES_FIELD_AUTO_PURGE_DESC="Automatically delete private messages after the given number of days." COM_MESSAGES_FIELD_AUTO_PURGE_LABEL="Auto-delete Messages (days)" COM_MESSAGES_FIELD_DATE_TIME_LABEL="Posted"