If you have a default Drupal contact form and are using Contact Storage and would like some users to view messages but not delete them, you will need to patch the Contact Storage module.
I came across this issue when using JSON:API with authentication and at first thought this was a gaping hole but with more testing worked out that the user needed to have admin permission for the contact forms and JSON:API set to Accept all JSON:API create, read, update, and delete operations for it to be an issue, and this would be an insecure setup.
That said, the only way to give GET access to a user is by giving the Admin permission, which is an all or none permission. So if you want to give more granular permission to Contact Storage data then you will need to patch it and luckily there is already work being done on this.
At the time of writing this article, I have only used the first patch but there is also another patch that adds per form permissions which might be useful.
The patch I have tested adds permissions on separate messages access like normal content entities. However, there is no way to publish the messages to make them public so it is a blanket style permission which works. By this I mean if a role has permission to read messages they can read all the messages. You can see the permissions in the image below that are added and issue thread and patch can be found on Drupal.org.
Add Contact Storage Permissions
The issue is titled Revisit permissions required to view contact messages and it states exactly what I discovered. I have found that the patch at #56 applies nicely. To add a patch is pretty easy. I have a quick guide on how to use the Linux patch command so if you are unsure how to apply a patch I suggest you check that article out.
Related: How to add a patch in Drupal?
Once the patch is added, you grant more granular permissions so that a role and associated users can be granted the necessary access.
So that's it, our messages are now protected and you can grant only read access to a role, or read and update, but stop a certain role from deleting a message. I think this is a much-needed feature and look forward to it being added to the stable release. I will look at the other patch in time but TBH I don't think it is necessary in my use case at present.
Thanks for reading, be sure to sign up for the newsletter if Drupal tips and front-end development and design are of interest to you. Until next time, seize the day!