Are Managers allowed to send/receive Private Messages????

The Help screen states:

The Private Messaging screen allows you to send messages to other Back-end Joomla! users.

" other Back-end Joomla! users" would indicate that Manager levels should be able to send/receive messages right?

Not by default. But you can change permissions to allow access to com_messages.

@SharkyKZ Can you please fix so that the PM icon appears when allowed for non-Super Users?

@Quy it should already be shown to users with backend login and access to com_messages permissions.

Unfortunately that is not the case. Logged in as a manager.

Managers don't have access to com_messages by default.

Yes, however, it is enabled. The sidebar has the link, but not the PM icon.

I can't reproduce the issue:

Strange. See screenshot in #29548 where there is no PM icon.

Changed now also access to com_messages permissions for Manager Group.
Got also no PM icon. (After log in as Manager).

I have tested this item ✅ successfully on 16ee038

So,tested Patch via the sidebar left: Private messages, as missing PM icon.

Confirm Actual result of: #29548

@SharkyKZ I can confirm @Quy's finding: After I have given the "Manager" group the "Access Administration Interface" permission in com_message's options, I can see the menu item for messaging in the left menu, but I can't see the messaging icon in the top icon area.

And issue #29548 is not solved either, i.e. the manager can create a message but not select a recipient because the button for it is not shown, and the user field is not editable.

The permissions "Create", "Delete" and "Edit state" have value "Allowed (Inherited)". Changing that to "Allowed" doesn't change anything, neither does setting "Configure ACL & Options" to "Allowed".

I tested this patch and confirm that the default Manager permissions mean that a Manager does not see the Private Messages icon or the Users menu. Also a Super User does not see a Manager in the selection list to send a message to. I have changed the Help screen description to start:

The Private Messaging screen allows you to send messages to other Back-end Joomla! users who have permission to send and receive messages.

The New screen already says:

This screen lets you write and send private messages to others with the correct User Group permissions.

(Fuzzybot seems to be not running at the moment so it will take a while to appear in the live feed.)

My 2c is that a manager should have access to private messages. Especially now that workflows is using them.

Oops, there's a typo. Though I wonder why this worked for me anyways ? .

Typo fixed. Please test again.

@brianteeman Agree.

I have tested this item ✅ successfully on c0decb3

After the typo has been corrected, the PM icon is shown correctly depending on if the backend user has admin privilege ("Access Administration Interface") for the messaging component or not, consistent with the user menu item and its messaging submenu item in the left side menu.

That the user (of group manager in my test) can't select a recipient (issue #29548 ) seems not or not only to be related to the privileges and so is unrelated to this PR, I think.

Managers with access to com_messages can't send messages because they have no access to com_users.

They need to read their message

They need to read their message

Yes, I understand now.

I can confirm it works well with this PR. If no user is there who has admin access to the messaging component, then no user is avaiable in the user selection when the super user wants to send a message. If the manager has that access, the super user can send him a message. The manager can read messages but not send some if having admin access to com_messages but not to com_users.

So all works as intended.

@SharkyKZ So what shall we do with issue #29548 ? Close with explanation and ref to this PR?

?‍♂️

Without changing who can see the user list, the quickest solution is to add com_users checks in com_messages so users without access to com_users don't even see new message button. This will continue to be somewhat confusing because some users with create permissions in com_messages can't create messages.

Let's see .. maybe you or someone has an idea after having slept one or two nights over it. But this PR here is fine.

Managers with access to com_messages can't send messages because they have no access to com_users.

Currently factually incorrect because of a bug - which I guess means its a security issue, because right now a manager with access to com_message and no access to com_users can fake a request and sent a message... see #29558

#29545 (comment) Without changing who can see the user list, the quickest solution is to add com_users checks in com_messages so users without access to com_users don't even see new message button.

Just hiding the new button is not going to stop a faked request being made. There needs to be valid ACL checking also on sending. see #29558

Of course, that was implied.

I have tested this item ✅ successfully on c0decb3

RTC

Thanks!