1 files changed, 14 insertions, 16 deletions

diff --git a/mod/messages/start.php b/mod/messages/start.php
index 95ebffbdb..5503a675a 100644
--- a/mod/messages/start.php
+++ b/mod/messages/start.php
@@ -74,32 +74,30 @@ function messages_init() {
  */
 function messages_page_handler($page) {
 
+	$current_user = elgg_get_logged_in_user_entity();
+	if (!$current_user) {
+		register_error(elgg_echo('noaccess'));
+		$_SESSION['last_forward_from'] = current_page_url();
+		forward('');
+	}
+
 	elgg_load_library('elgg:messages');
 
-	elgg_push_breadcrumb(elgg_echo('messages'), 'messages/inbox/' . elgg_get_logged_in_user_entity()->username);
+	elgg_push_breadcrumb(elgg_echo('messages'), 'messages/inbox/' . $current_user->username);
 
 	if (!isset($page[0])) {
 		$page[0] = 'inbox';
 	}
 
-	// supporting the old inbox url /messages/<username>
-	$user = get_user_by_username($page[0]);
-	if ($user) {
-		// Need to make sure that the username of the parameter is actually
-		// the username of the logged in user. This will prevent strange 
-		// errors like grabbing the 'read' parameter and looking up
-		// a user with username 'read' and finding it and redirecting
-		// to that other person's inbox. 
-
-		if ($user->username == elgg_get_logged_in_user_entity()->username) {
-			// OK, so it is our username and not someone else's
-			$page[1] = $page[0];
-			$page[0] = 'inbox';
-		}
+	// Support the old inbox url /messages/<username>, but only if it matches the logged in user.
+	// Otherwise having a username like "read" on the system could confuse this function.
+	if ($current_user->username === $page[0]) {
+		$page[1] = $page[0];
+		$page[0] = 'inbox';
 	}
 
 	if (!isset($page[1])) {
-		$page[1] = elgg_get_logged_in_user_entity()->username;
+		$page[1] = $current_user->username;
 	}
 
 	$base_dir = elgg_get_plugins_path() . 'messages/pages/messages';