Ensure that users can bypass the visibility by providing a clean method

opentech/apply/activity/forms.py

@@ -16,8 +16,15 @@ class CommentForm(forms.ModelForm):
 
     def __init__(self, *args, user=None, **kwargs):
         super().__init__(*args, **kwargs)
+        self.allowed_visibility = self._meta.model.visibility_for(user)
         self.visibility_choices = self._meta.model.visibility_choices_for(user)
         if len(self.visibility_choices) > 1:
             self.fields['visibility'].choices = self.visibility_choices
         else:
             self.fields['visibility'].widget = forms.HiddenInput()
+
+    def clean_visibility(self):
+        choice = self.cleaned_data['visibility']
+        if choice not in self.allowed_visibility:
+            raise ValidationError('You do not have permission for that visibility.')
+        return choice