Actually, it strikes me that being able to view a message history including an name and photo for a user who's details you aren't allowed to view shouldn't happen. moodle/user:viewdetails should take care of this as it does on user/index.php. I've attached a patch which addresses this, does anyone have any comments before I submit it to the tracker?
Roles and permissions
Preventing access to messaging system
This discussion has been locked so you can no longer reply to it.