From 85e838415111664e6575ea5e51583b4c949cd469 Mon Sep 17 00:00:00 2001
From: Will Rossiter <will@fullscreen.io>
Date: Fri, 28 Jul 2017 17:12:01 +1200
Subject: [PATCH] If user cannot view record then prevent comment

---
 src/Extensions/CommentsExtension.php | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Extensions/CommentsExtension.php b/src/Extensions/CommentsExtension.php
index 0c7a9b9..8463efe 100644
--- a/src/Extensions/CommentsExtension.php
+++ b/src/Extensions/CommentsExtension.php
@@ -363,6 +363,11 @@ class CommentsExtension extends DataExtension
         if (!$this->owner->CommentsEnabled) {
             return false;
         }
+        
+        if (!$this->owner->canView($member)) {
+            // deny if current user cannot view the underlying record.
+            return false;
+        }
 
         // Check if member is required
         $requireLogin = $this->owner->CommentsRequireLogin;