User without Participate Everywhere can comment freely

[cellio]

The Participate ability allows you to comment on your own posts and answers to your own questions, but not more broadly (according to the documentation). Participate Everywhere allows commenting everywhere. However, this restriction isn't working -- a newly-created user with only Participate was able to comment on an existing comment thread, and I just tested in a dev environment and found that such a user can also create new comment threads on other users' posts. It seems we are not enforcing this restriction, and spammers are able to exploit it. (I found out it wasn't working because of a spam flag.)

[cellio]

The check appears to be done in the comment_rate_limited method in the comment controller, but the code's a little hard for me to understand. Specifically, this looks like the check:

      if recent_comments.zero? && !current_user.privilege?('unrestricted')
        comment_limit_msg = 'New users can only comment on their own posts and on answers to them.'
      end

And this is where recent_comments is set:

    recent_comments = Comment.where(created_at: 24.hours.ago..DateTime.now, user: current_user).where \
                             .not(post: Post.includes(:parent).where(parents_posts: { user_id: current_user.id })) \
                             .where.not(post: Post.where(user_id: current_user.id)).count

It looks like the query is filtering out your own posts. Yet a user without that ability is able to comment in a thread on someone else's post. This code might predate threaded comments; is that still the right query?