Privacy
Wirechat uses your application user model to decide who can open the chat area, who can start conversations, who can create groups, and who can send private messages to another user.
Application-level privacy rules cover blocking, friends-only messaging, marketplace buyer/seller access, and group creation.
These methods belong on the same application user model that implements WirechatUser and uses InteractsWithWirechat, usually app/Models/User.php in a Laravel app.
Access Layers
Wirechat checks privacy at several points:
canAccessWirechatPanel(Panel $panel)controls whether a user can enter a panel.canCreateChats()controls whether a user can start private chats from Wirechat.canCreateGroups()controls whether a user can create groups from Wirechat.canSendMessageTo(Model $recipient)controls whether one user may message another user.belongsToConversation()is used to keep normal conversation access limited to participants.
For the full user model reference, see Users.
Starting Private Chats
When a user starts a private chat from the New Chat modal, Wirechat checks whether the user can create chats and whether they can message the selected recipient.
Define both methods on your application user model, usually app/Models/User.php:
namespace App\Models;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Wirechat\Wirechat\Contracts\WirechatUser;
use Wirechat\Wirechat\Traits\InteractsWithWirechat;
class User extends Authenticatable implements WirechatUser
{
use InteractsWithWirechat;
public function canCreateChats(): bool
{
return $this->hasVerifiedEmail();
}
public function canSendMessageTo(Model $recipient): bool
{
return ! $this->hasBlocked($recipient)
&& ! $recipient->hasBlocked($this);
}
}
When either rule rejects the action, Wirechat blocks private chat creation, message requests, and private message sending with a 403 response.
Sending Private Messages
Wirechat checks canSendMessageTo() again when a private message is sent, so the rule still applies after the conversation already exists.
For example, if a user blocks another user after a conversation was created, the next private message can still be rejected:
use Illuminate\Database\Eloquent\Model;
public function canSendMessageTo(Model $recipient): bool
{
if ($this->blockedUsers()->whereKey($recipient->getKey())->exists()) {
return false;
}
if ($recipient->blockedUsers()->whereKey($this->getKey())->exists()) {
return false;
}
return true;
}
Conversation contexts follow the same private messaging rules. The context controls what the chat is about; canSendMessageTo() still controls whether the users may message each other.
Conversation Membership
Normal conversation routes are protected so users can only open conversations they belong to.
$user->belongsToConversation($conversation);
The default chat routes apply this protection automatically. If you embed chat components on your own routes, apply the same conversation access rule through your route middleware or controller before rendering the chat.
Message requests have a review flow where the recipient can open the pending request before they become a participant. See Message Requests for that flow.
Groups
Group creation permission belongs on your authenticated application user model, usually app/Models/User.php:
namespace App\Models;
use Illuminate\Foundation\Auth\User as Authenticatable;
use Wirechat\Wirechat\Contracts\WirechatUser;
use Wirechat\Wirechat\Traits\InteractsWithWirechat;
class User extends Authenticatable implements WirechatUser
{
use InteractsWithWirechat;
public function canCreateGroups(): bool
{
return $this->subscription?->active === true;
}
}
Group messages are controlled by group membership and group permissions because there is no single private recipient. A user must be an active participant before sending messages in a group.
Group privacy settings also control whether a user can be added through Wirechat group add flows. See Settings for user-facing group privacy settings.
Direct Application Calls
Prefer Wirechat's user methods when your app starts conversations or sends messages from custom code:
$conversation = $auth->createConversationWith($recipient);
$message = $auth->sendMessageTo($conversation, 'Hello');
These methods keep the same participant and recipient checks in one place. If your application writes messages or participants directly, apply the same privacy rules before doing so.