Authorize comment #create api endpoint

Currently there is not authorization going on, in some cases
the `CommentLockingValidator` still prevents comments from being
created if permission is unsufficient in certain cases.
But some things are not handled, for example when a user is
blocked for commenting.

This should be handled on the controller level using our pundit
policy.

src/api/app/controllers/comments_controller.rb

@@ -8,7 +8,9 @@ def index
   end
 
   def create
-    @obj.comments.create!(body: request.raw_post, user: User.session!, parent_id: params[:parent_id])
+    comment = @obj.comments.new(body: request.raw_post, user: User.session!, parent_id: params[:parent_id])
+    authorize comment, :create?
+    comment.save!
     render_ok
   end