[Comments] Prevent hidden comment leak in API

app/controllers/comments_controller.rb

@@ -54,6 +54,7 @@ class CommentsController < ApplicationController
 
   def show
     @comment = Comment.find(params[:id])
+    check_visible(@comment)
     @comment_votes = CommentVote.for_comments_and_user([@comment.id], CurrentUser.id)
     respond_with(@comment)
   end
@@ -105,6 +106,12 @@ private
     end
   end
 
+  def check_visible(comment)
+    if !comment.visible_to?(CurrentUser.user)
+      raise User::PrivilegeError
+    end
+  end
+
   def comment_params(context)
     permitted_params = %i[body post_id]
     permitted_params += %i[do_not_bump_post] if context == :create