diff --git a/src/Messages/MessagesRoutes.php b/src/Messages/MessagesRoutes.php
index fe345ca..334fd94 100644
--- a/src/Messages/MessagesRoutes.php
+++ b/src/Messages/MessagesRoutes.php
@@ -39,6 +39,10 @@ class MessagesRoutes extends RouteHandler {
         if(!$this->authInfo->isLoggedIn())
             return 401;
 
+        // do not allow access to PMs when impersonating in production mode
+        if(!MSZ_DEBUG && $this->authInfo->isImpersonating())
+            return 403;
+
         $globalPerms = $this->authInfo->getPerms('global');
         if(!$globalPerms->check(Perm::G_MESSAGES_VIEW))
             return 403;