Messages external function doesn't return the profile user image due to incorrect permissions check

Enable messaging in the site Create a couple of users accounts, user1 and user2 with the same firstname. Upload a profile image for those accounts. Enable "Mobile services": Plugins ► Web Services ► External services Create a Token for the Mobile app service (for user1): Click on Site administration ► Plugins ► Web services ► Manage tokens Next, you can do a CURL REST call simulating a WS client: Replace searchtext with the first name of user2 You also need to replace the wstoken and the URL of your moodle instance curl 'http://localhost/m/stable_master/webservice/rest/server.php?moodlewsrestformat=json' -H 'Pragma: no-cache' -H 'Origin: file://' -H 'Accept-Encoding: gzip,deflate,sdch' -H 'Accept-Language: es,en;q=0.8,de-DE;q=0.6,de;q=0.4,nb;q=0.2' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1798.0 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: application/json, text/javascript, */*; q=0.01' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' --data 'searchtext=test&onlymycourses=0&wsfunction=core_message_search_contacts?wstoken=1b9b8bd8d01acbf452c2bd77ca0d2925' --compressed Confirm that: The command returns a list of users matching the name you used for searching (except the current user), for checking if the returned profile image URL works you must copy the url in a new browser tab appending: &token=YOUR_TOKEN Note that is you are testing just with a couple of users, the search will return only one user because the user doing the search is excluded from the results