How Private Are Private Messages


Can the owner of a forum read private messages among all users, by reading the database directly, bypassing xenforo front end and xenforo security?


Anyone with database access should be able to read private messages since the data is stored there.

You'll need an addon for a UI via xenForo.

There are also some addons I believe that flag private messages with specific keywords and prints them out for staff.


Take a look at the wording here in the platform: private messages / PM are called "conversation" consequently. That points into the right meaning of their overall function.

The platform I'm administrating moved from vbulletin to XenForo 1.5 years ago and besides the clear wording difference we also encountered another XenForo specific concept for conversations which you might want to know early enough...

Beginning a conversation, a person can define if it is allowed to add more participants by every participant any time during the conversation. Additionally, being a "conversation moderator" you may have this "add participant" right even in conversations you aren't the starter and the starter didn't allow initially.

The specialty:
Every participant being added somewhere later during the conversation instantly gets access to the complete conversation thread right back to the beginning of it.

Our outcome:
For us, this behavior was really special and we thoroughly discussed the possible effects reducing the "private" character of a message (that time, being vbulletin users, still calling and "feeling" it being a PM).
In the end we actively decided to keep the original "conversation" wording also in our main platform language (de-de) and not to try to keep calling it a PM for user convenience and "wording backward compatibility".
As effect, there were several user questions and discussions to be supported why the h... private message needed to be renamed to conversation but that didn't take too long. Now, the positive effect of everybody being able to realize that a conversation isn't worded or defined "private" because in the end there are several technical possibilities to break the privacy weighs up our initial support effort.

Or the counterpart:
