_notify() requires better security

(Bug, Closed -> Duplicate, Priority: Critical, Test Status: No automated tests yet , Reported By Justin du Coeur, )

Summary: As currently constructed, anybody who can write QL can send notifications, which is deeply Not Okay.

The crude, quick-and-dirty solution would be to add a Can Send Notifications permission. I don't entirely love that, but it would cut this problem right off at the pass, and would be pretty easy to implement.

That said, it's still subject to social-engineering attacks where a bad actor sets up a _notify() and then convinces an authorized user to click on it. So the ideal solution would involve only allowing authorized users to write this in QL in the first place. That's not plausible until we have a compiler, but is well worth considering at that point.