Added a check to see the RfC is visible to the user.

Author: arkirchner

app/policies/comment_policy.rb

@@ -4,22 +4,22 @@ class CommentPolicy < ApplicationPolicy
   REPORT_RECEIVER_CONFIGURED = CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails).present?
 
   def create?
-    everyone
+    show?
   end
 
   def show?
-    everyone
+    Pundit.policy(@user, @record.request_for_comment).show? && everyone
   end
 
   %i[destroy? update? edit?].each do |action|
     define_method(action) { admin? || author? || teacher_in_study_group? }
   end
 
   def index?
-    everyone
+    show?
   end
 
   def report?
-    REPORT_RECEIVER_CONFIGURED && everyone && !author?
+    REPORT_RECEIVER_CONFIGURED && show? && !author?
   end
 end

spec/policies/comment_policy_spec.rb

@@ -13,6 +13,15 @@
         expect(described_class).to permit(build_stubbed(user_type), comment)
       end
     end
+
+    it 'does not grant access to users who have no access to the RfC' do
+      learner = build_stubbed(:learner)
+      rfc_policy = instance_double(RequestForCommentPolicy, show?: false)
+      allow(RequestForCommentPolicy).to receive(:new).with(learner, comment.request_for_comment)
+        .and_return(rfc_policy)
+
+      expect(described_class).not_to permit(learner, comment)
+    end
   end
 
   permissions :destroy?, :update?, :edit? do
@@ -61,6 +70,15 @@
       it 'does not grants access to the author' do
         expect(described_class).not_to permit(comment.user, comment)
       end
+
+      it 'does not grant access to users who have no access to the RfC' do
+        learner = build_stubbed(:learner)
+        rfc_policy = instance_double(RequestForCommentPolicy, show?: false)
+        allow(RequestForCommentPolicy).to receive(:new).with(learner, comment.request_for_comment)
+          .and_return(rfc_policy)
+
+        expect(described_class).not_to permit(learner, comment)
+      end
     end
 
     context 'when content moderation is disabled' do