The ability to post comments depends on several factors:
comments_pagespeccontrols whether comments on a particular page will be displayedcomments_closed_pagespeccontrols whether comments on a particular page are allowed- the
check_caneditcall controls whether comments are allowed for a particular combination of page and user
If check_canedit says that a user can post a comment
(in particular, if opendiscussion is enabled or
lockedit is disabled or permissive),
and comments_closed_pagespec does not contradict it,
then users who construct a do=comment CGI URL manually
can post comments that will not be displayed. I don't think
this is a security flaw as such, which is why I'm not
reporting it privately, but it violates least-astonishment.
My ready/comments branch fixes this, by changing the test
at submission time from (pseudocode)
!comments_closed_pagespec && check_canedit
to
comments_pagespec && !comments_closed_pagespec && check_canedit
--smcv