From 7cd05c6af62982ad44b814fa8a2867406d048226 Mon Sep 17 00:00:00 2001
From: John Burwell <john@b-wells.us>
Date: Tue, 2 May 2023 13:38:00 -0500
Subject: [PATCH] prohibit reading others' private messages

---
 rsbbs/plugins/read/plugin.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/rsbbs/plugins/read/plugin.py b/rsbbs/plugins/read/plugin.py
index 33f3062..28a1f9a 100644
--- a/rsbbs/plugins/read/plugin.py
+++ b/rsbbs/plugins/read/plugin.py
@@ -43,7 +43,13 @@ class Plugin():
         with self.api.controller.session() as session:
             try:
                 statement = sqlalchemy.select(Message).where(
-                    Message.id == number)
+                    sqlalchemy.or_(
+                        sqlalchemy.and_(
+                            Message.id == number,
+                            Message.recipient == self.api.user.callsign),
+                        sqlalchemy.and_(
+                            Message.id == number,
+                            sqlalchemy.not_(Message.is_private))))
                 result = session.execute(statement).one()
                 self.api.print_message(result)
                 logging.info(f"read message")