Right now the API checks for staff status only, it should check the can_view_pm method instead
Bug watches keep track of this bug in other bug trackers.