The Question and Answer Board

[Bob Zumbrunnen]

Nevermind my PM to you. I figured out how it's happening.

I sure would've appreciated that revelation a little bit differently, though. As worded, it looks like you can read anyone's PM's at your discretion. Not the case.

Everyone, what was apparently happening was this:

1. User A receives a PM from User B.

2. User A clicks the "Private Reply" link and gets redirected to a reply screen.

3. The reply screen contains a couple of parameters in the URL: the UserID of the person to whom they're replying, and the number of the message to which they're replying.

4. User A, for reasons that completely escape me, changes the UserID part of the URL to the UserID of some other user (User C) and hits Enter.

5. User A types in their reply to User C, then Submits the post.

6. User C reads the PM and in the "In Reply To:" box sees the PM written by User B.

So it's not that people can pull up PM's written by others. It's that recipients of PM's can, with minor trickery, show the PM to someone else.

"Could" rather than "Can", actually. I just fixed it. Extra overhead, that I resent having to spend, but now when you're replying to a PM, the system checks to make sure you're really replying to the PM's author.

This might suggest to people that it was also possible to change the message number part of the URL and resubmit it, viewing someone else's PM, but that's not the case. When that's attempted, the system redirects you to your mailbox.

Also, it never was possible to "follow the chain" back any further than the message that was being redirected in reply. In other words, clicking the "Go To This Message" link wouldn't take you to that PM so you could see what it was replying to.