People shouldn't receive Comment Notifications for Things they can't Read
Summary: This is now a P0 security leak, so needs to be dealt with ASAP.
From Eric:
I created a Role (Developer) and Model (Design Page) and set the following permissions:
Design Page - Who Can Read: Custom (Developer)
Design Page Instances - Who Can Read: Custom (Developer)
Design Page Instances - Who Can Edit: Custom (Developer)
Everything else: Inherit
I didn't bother setting Comment permissions because I assumed that with no Read privs, Comment permissions would be irrelevant. But Dylan got notifications on the comments, and could read them on the Notifications page, despite not having permissions to Read the Thing itself.
I've since locked down virtually all permissions there to Developer in strong hopes that that will fix this - I would really prefer not to dangle tantalizing hints of pages they're not allowed to see in front of all my testers - so the behavior hopefully won't be visible there anymore, but reproducing it hopefully won't be hard. (If it doesn't repro easily, Design Page is a sub-model (of Root Model) which sometimes affects things I don't expect it to.)
This needs investigation, but my hypothesis is that we aren't checking Who Can Read when generating the notifications. We should certainly be checking Who Can Read Comments (it's a clear bug if not). Arguably that's the only permission that applies here, but Eric's expectation is a reasonable one, that if I can't read the Thing, I shouldn't be notified about Comments on it. So that should probably be tweaked.
LATER: Eric checked, and it looks like we aren't checking Who Can Read Comments either. That is clearly badly broken, so let's fix both of these problems at the same time.
