Security fixes 9/7 '18
I made two security fixes just now:
1. Previously, if you knew the id of a post and were a mutual follower of the poster, you could comment on it, even if you did not have the keys to the post. Note that this did not mean you could see the post. However, see below.
2. If you had commented on a post, you would continue to receive notifications of later comments on that post, even if your own access to it had been revoked. Notifications contain roughly 100 characters or so of each comment.
Both issues have been fixed. I apologize for these mistakes in my code.
At no point was it possible to read an actual post you should not have been able to read. But, security issues are never good.
Many thanks to the user who brought issue #2 to my attention, which led me to discover issue #1.
Edited to add: notifications already in the system are still there. I will be working to purge those, and also to purge notifications as needed whenever the privacy settings of a post change. Of course an email sent is an email sent, but I should do what I can do.