Index: openacs-4/packages/chat/tcl/chat-ajax-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/chat/tcl/chat-ajax-procs.tcl,v
diff -u -r1.23.2.3 -r1.23.2.4
--- openacs-4/packages/chat/tcl/chat-ajax-procs.tcl	2 Mar 2019 17:51:10 -0000	1.23.2.3
+++ openacs-4/packages/chat/tcl/chat-ajax-procs.tcl	27 Mar 2019 17:27:36 -0000	1.23.2.4
@@ -68,6 +68,8 @@
     }
 
     Chat instproc init {} {
+        # Check read permissions
+        permission::require_permission -object_id ${:chat_id} -privilege "chat_read"
         set ban_p [permission::permission_p -object_id ${:chat_id} -privilege "chat_ban"]
         if {$ban_p} {
             ad_return_forbidden
@@ -98,6 +100,15 @@
         if {![::xo::db::Class exists_in_db -id ${:chat_id}]} {
             return
         }
+
+        set uid [expr {$uid ne "" ? $uid : ${:user_id}}]
+
+        # Check write permissions
+        permission::require_permission \
+            -party_id $uid \
+            -object_id ${:chat_id} \
+            -privilege "chat_write"
+
         set r [::xo::db::Class get_instance_from_db -id ${:chat_id}]
 
         # ignore empty messages
@@ -109,7 +120,6 @@
         # This way messages can be persisted immediately every time a
         # message is sent
         if {[:current_message_valid]} {
-            set uid [expr {$uid ne "" ? $uid : ${:user_id}}]
             $r post_message -msg $msg -creation_user $uid
         }