citadel still lets a logged in user read messages belonging to any other user.
test:
login as yourself, and try MSG4 with arbitrary message-numbers.
I think Art proposed a fix which would be to cause the MSG* functions to make sure that the requested message was in the current room