When creating comments, sending different noteable IDs for target_id and
note[:noteable_id] would allow you to bypass comment creation security
if the user had creation permissions for target_id. The comment would be
created in note[:noteable_id].

Also made it so that users cannot edit/delete their comments on a
noteable that becomes unreadable to them (if it gets flagged
confidential and they don't have read access for example)