Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Limiting sending private messages (I only want certain roles to be able to send them)?

Is it possible to limit access to sending private messages to certain roles only?

I only want this option to be allowed for members who have a certain role. It is not an option in the role configuration dashboard, but hopefully there is a way to achieve this.


  • Options

    it would be tricky - because if someone sends a message to the inbox to someone without permission to read inbox - what do you do!(rhetorical question).
    probably a mod to core or possibly a plugin (not by me).

    I may not provide the completed solution you might desire, but I do try to provide honest suggestions to help you solve your issue.

  • Options

    It is purely meant for sending. So, that would make it a bit easier.

  • Options
    businessdadbusinessdad Stealth contributor MVP

    @martz said:
    It is purely meant for sending. So, that would make it a bit easier.

    I think it could be done with a plugin, without having to touch the Core. Basically, this is what the plugin should do:

    • Register a new permission, e.g. CanStartNewConversation.
    • Hide the "Start a New Conversation" button. Implement a view newconversation.php. It should be a copy of /applications/conversations/views/modules/newconversation.php, with an extra check at the beginning. In pseudocode, the check would be the following if(User is not allowed to start a new Conversation) { display nothing }. That would prevent the "Start a New Conversation" button from displaying.

    Now that the button is hidden, normal Users would not be able to click on it. However, they would still be able to access the New Discussion page by typing its URL. To prevent this, plugin should intercept the Add() action, but this requires a little trick.

    When a User clicks on "Start a New Conversation", "MessageController::Add()" is executed. Such method doesn't check permissions, nor does it call event handlers. Therefore, the plugin must prevent such method from running, unless User has proper permissions.

    How to do it

    • Plugin must implement a new method, which we can call MessagesController_NewConversation_Create(). This method will perform the usual check, i.e. Is User allowed to start a new Conversation? and, if it passes, it will call MessageController::Add().
    • Last step would be redirecting every call to /messages/add to /messages/newconversation. This can be done by using Vanilla's Route. In plugin's Setup() method, add the following route:
      Route: ^messages/add(/.*)?$
      Destination: /messages/newconversation$1

    Now, every time a User will open /messages/add, he will be routed to /messages/newconversation, which will execute the code in the plugin and display an error in case of lack of permissions.


    • The above is an example to illustrate the base logic, but it might be incomplete. I used a similar approach in other plugins I developed and it works well, just make sure you test the plugin thoroughly.
    • Always remember to implement a Plugin::OnDisable() method to remove the route added to "hijack" the Start a New Conversation process. Failing to do so, when the plugin is disabled, any attempt to start a new conversation would result in a Page not found error. Clean up after yourself is in the top ten of best practices.
    • User A might not be allowed to Send messages, but he should be allowed to Reply to any message he received. The logic illustrated above would allow this, as the method that deals with replying to a message is MessagesController::AssMessage(), which is not altered.
  • Options
    vrijvlindervrijvlinder Papillon-Sauvage MVP
    edited March 2013

    @businessdad said: MessagesController::AssMessage()

    lol freudian slip?

  • Options
    martzmartz New
    edited March 2013

    @businessdad Thanks! In this case, just hiding the button would be enough. On my forum I'm setting up a new role, in between guest and member. In that role you'll have limited functionality until you have proven yourself worthy. Normally you would only remain in that role for a few days.

    @Lincoln - would it not be a nice addition to the core? More fine grained permissions are a must have for larger forums.

  • Options
    businessdadbusinessdad Stealth contributor MVP

    @vrijvlinder said:
    lol freudian slip?

    LOOOOL! I would say more of a sleepy-slip, it was very late when I wrote the post. :)

Sign In or Register to comment.