Currently we have methods like:
public boolean isUserXAbleToBeMessagedByUserY(String userX, String userY, boolean friend);
where the data is passed in. However someone could fake the friend status, or even the userY value. This wouldn't happen in the tool, but it could be used by an external service.
This data should instead be looked up. It is all cached now so the performance aspect should be ok.
We should look at removing the userY if that would work, we need to audit and see if the userY is ever passed in as someone other than the current user. I'm not sure why that would happen though. If we can remove it then we could do:
public boolean isUserAbleToBeMessagedByCurrentUser(String userUuid);