Hi,
After checking Laravel Messenger examples here, I checked my routes and noticed an issue.
It works like this: I use Breeze, and my Dashboard header (aka my resources\views\layouts\navigation.blade.php) includes a 'Messages' link towards Messages index (see Routes below).

Issue: After log in, a user can display any thread it's NOT participating in, by typing myLaravelProject/messages/5 for example, even if it is not a 'Participant' of the thread having id = 5.

Note: I installed Breeze using Laravel docs (https://laravel.com/docs/9.x/starter-kits#laravel-breeze) and Laravel Messenger using ReadMe (https://github.com/cmgmyr/laravel-messenger#installation-laravel-5x).
Laravel version: 8.83.4

I must say it doesn't help that the default install gives us demo files which are different than the examples here.
#feelsbadman

Thanks
Stawn

Routes:
Route::group(['middleware' => 'auth', 'prefix' => 'messages', 'as' => 'messages'], function () { Route::get('/', [MessagesController::class, 'index']); Route::get('create', [MessagesController::class, 'create'])->name('.create'); Route::post('/', [MessagesController::class, 'store'])->name('.store'); Route::get('{thread}', [MessagesController::class, 'show'])->name('.show'); Route::put('{thread}', [MessagesController::class, 'update'])->name('.update'); Route::delete('{thread}', [MessagesController::class, 'destroy'])->name('.destroy'); });

MessagesController looks like:

namespace App\Http\Controllers;use Carbon\Carbon;use App\Models\User;use Illuminate\Http\Request;use Cmgmyr\Messenger\Models\Thread;use Cmgmyr\Messenger\Models\Message;use Illuminate\Support\Facades\Auth;use Illuminate\Support\Facades\Session;use Cmgmyr\Messenger\Models\Participant;use Illuminate\Database\Eloquent\ModelNotFoundException;class MessagesController extends Controller{    /**     * Show all of the message threads to the user.     *     * @return mixed     */    public function index()    {        $threads = Thread::forUser(Auth::id())            ->withCount('messages')            ->latest()            ->get()            ->reject(function ($value) {                return $value->messages_count == 1 && $value->creator() == Auth::user();            });        return view('messenger.index', compact('threads'));    }    /**     * Shows a message thread.     *     * @param $id     * @return mixed     */    public function show(Thread $thread)    {        $thread->markAsRead(Auth::id());        return view('messenger.show', compact('thread'));    } (...)}```